network: Update to latest upstream

Message ID 20230919130819.517404-1-jonatan.schlag@ipfire.org
State New
Headers
Series network: Update to latest upstream |

Commit Message

Jonatan Schlag Sept. 19, 2023, 1:08 p.m. UTC
  As there is not a new release we apply 300 something patches.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
---
 network/network.nm                            |    5 +-
 .../patches/0001-Bump-version-to-011.patch    |   26 +
 ...Check-input-and-return-useful-errors.patch |  144 ++
 .../0003-bridge-Fix-assertion-for-MTU.patch   |   32 +
 ...rder-functions-into-the-common-order.patch |  127 ++
 .../0005-bridge-Set-proper-defaults.patch     |   78 +
 ...rder-arguments-in-alphabetical-order.patch |   46 +
 ...ge-Add-option-to-missing-stp-max-age.patch |   33 +
 .../patches/0008-Remove-unused-function.patch |   29 +
 ...ding-Validate-any-MAC-address-passed.patch |   33 +
 ...-ip-tunnel-Set-TTL-to-255-by-default.patch |   34 +
 ...-Add-some-generic-configuration-file.patch |  107 ++
 ...c-routes-instead-of-doing-that-manua.patch |  146 ++
 ...-configuration-when-network-is-initi.patch |   28 +
 .../0014-dns-Always-enable-EDNS0.patch        |   32 +
 ...automatic-channel-selection-ACS-by-d.patch |   27 +
 ...llow-to-disable-DFS-in-configuration.patch |  102 ++
 ...DFS-automatically-when-not-supported.patch |   99 +
 ...-ap-Add-CLI-to-set-channel-bandwidth.patch |   87 +
 ...ot-to-add-configuration-variables-to.patch |   29 +
 ...y-channel-bandwidth-to-configuration.patch |  109 ++
 ...s-ap-Enable-ACS-only-for-ath-devices.patch |  117 ++
 ...w-setting-the-wireless-environment-i.patch |  164 ++
 ...3-hostapd-Remove-now-useless-comment.patch |   26 +
 ...Always-enable-Transmit-Power-Control.patch |   30 +
 ...025-hostapd-Set-default-WMM-settings.patch |   72 +
 ...-Kick-stations-that-are-too-far-away.patch |   27 +
 .../0027-hostapd-Always-qoute-SSID.patch      |   34 +
 ...w-to-enable-disable-802.11w-Manageme.patch |  130 ++
 ...network-Show-when-a-PHY-supports-ACS.patch |   26 +
 ...i_device_status_phy-to-functions.phy.patch |  112 ++
 ...stapd-Dump-config-file-in-debug-mode.patch |   52 +
 ...matically-enable-all-supported-ciphe.patch |  519 ++++++
 ...nable-WPA-authentication-with-SHA256.patch |   26 +
 ...ally-set-defaults-for-all-port-hooks.patch |   98 +
 ...oks-Import-zone-default-settings-too.patch |  176 ++
 ...-Convert-HOOK_SETTINGS-into-an-array.patch |  628 +++++++
 .../0037-settings-Some-code-refactoring.patch |  133 ++
 ...38-ports-Drop-HOOK_SETTINGS-variable.patch |  239 +++
 ...multiple-copies-of-the-same-function.patch |  162 ++
 ...0-wireless-ap-Remove-support-for-WPA.patch |   58 +
 ...dd-support-for-WPA3-and-rewrite-WPA2.patch |  280 +++
 ...-hotplug-rename-Drop-unused-variable.patch |   27 +
 ...WPA2-authentication-only-with-SHA256.patch |   29 +
 ...ireless-ap-Enable-802.11w-by-default.patch |   31 +
 ...t_bool-convenience-function-where-ev.patch |  100 +
 ...OOK_CONFIG_SETTINGS-to-HOOK_SETTINGS.patch |  196 ++
 ...nabled-from-configuration-parameters.patch |   99 +
 ...dhcp-Fix-syntax-error-in-last-commit.patch |   30 +
 ...NIQUE-which-stops-us-from-creating-m.patch |  158 ++
 ...k-that-secret-has-the-correct-length.patch |  105 ++
 .../0051-Drop-old-locking-functions.patch     |  235 +++
 ...nnel-Enable-support-for-6in4-tunnels.patch |   26 +
 .../0053-lock-Cleanup-lock-files.patch        |   37 +
 ...quire-MFP-for-SAE-when-it-is-enabled.patch |   45 +
 ...6-router-advertisement-configuration.patch |  117 ++
 .../patches/0056-Drop-code-for-radvd.patch    |  314 ++++
 ...57-.gitignore-Ignore-vim-s-swp-files.patch |   25 +
 ...ke-sure-the-daemon-is-always-running.patch |   73 +
 .../0059-configure-Require-asciidoc.patch     |   28 +
 .../0060-man-Add-test-page-for-asciidoc.patch |   94 +
 ...idoc-to-generate-HTML-pages-directly.patch |   86 +
 ...-man-Add-asciidoc-configuration-file.patch |   62 +
 ...t-network-8-from-docbook-to-asciidoc.patch |  503 +++++
 ...-Convert-network-color-8-to-asciidoc.patch |  152 ++
 network/patches/0065-man-Drop-test-page.patch |   44 +
 .../0066-man-network-color-Add-synopsis.patch |   32 +
 ...onvert-firewall-settings-to-asciidoc.patch |  409 +++++
 ...rt-network-description-8-to-asciidoc.patch |  144 ++
 ...Convert-network-device-8-to-asciidoc.patch |  254 +++
 ...n-Convert-network-dhcp-8-to-asciidoc.patch |  217 +++
 ...ert-network-dns-server-8-to-asciidoc.patch |  306 ++++
 ...ork-performance-tuning-8-to-asciidoc.patch |  135 ++
 ...n-Convert-network-port-8-to-asciidoc.patch |  370 ++++
 ...ng-network-quick-start-8-to-asciidoc.patch |  275 +++
 ...5-man-Use-include-for-color-commands.patch |   55 +
 ...an-Drop-old-network-color-8-man-page.patch |   72 +
 .../patches/0077-man-Fix-page-headers.patch   |   38 +
 ...-Convert-network-route-8-to-asciidoc.patch |  157 ++
 .../0079-.gitignore-Ignore-DS_Store.patch     |   26 +
 ...t-network-route-static-8-to-asciidoc.patch |  280 +++
 ...nvert-network-settings-8-to-asciidoc.patch |  190 ++
 ...an-Convert-network-vpn-8-to-asciidoc.patch |  135 ++
 ...ork-vpn-security-policies-8-to-ascii.patch |  453 +++++
 ...n-Convert-network-zone-8-to-asciidoc.patch |  375 ++++
 ...rt-network-zone-bridge-8-to-asciidoc.patch |  255 +++
 ...ork-zone-config-pppoe-server-8-to-as.patch |  222 +++
 ...network-zone-ip-tunnel-8-to-asciidoc.patch |  184 ++
 ...ert-network-zone-modem-8-to-asciidoc.patch |  329 ++++
 ...ert-network-zone-pppoe-8-to-asciidoc.patch |  266 +++
 ...-network-zone-wireless-8-to-asciidoc.patch |  167 ++
 .../patches/0091-man-Cleanup-XML-files.patch  |   43 +
 .../0092-man-Make-distcheck-happy.patch       |   54 +
 ...man-Include-include-files-in-tarball.patch |   28 +
 ...94-man-network-route-static-Fix-name.patch |   26 +
 ...-Add-target-to-upload-HTML-man-pages.patch |   28 +
 ...ate-HTML-documentation-in-normal-bui.patch |   29 +
 .../0097-man-Fix-authorship-warnings.patch    |  205 +++
 ...tax-format-more-similar-across-files.patch |  583 ++++++
 ...itable-function-to-determine-the-por.patch |   53 +
 ...t-hook-to-use-parse_cmdline-function.patch |   76 +
 ...-Validate-and-always-set-MAC-address.patch |   42 +
 ...nknown-command-line-parameters-are-b.patch |   29 +
 ...-Rename-PARENT_DEVICE-to-PARENT_PORT.patch |  102 ++
 ...rent-device-exists-before-bringing-i.patch |   35 +
 .../0105-vlan-Simplify-vlan_remove.patch      |   32 +
 .../0106-vlan-Refactor-vlan_create.patch      |  146 ++
 ...lan-Create-partent-port-if-necessary.patch |   30 +
 .../0108-vlan-Drop-ebtables-stuff.patch       |   49 +
 .../patches/0109-vlan-Rename-tag-to-id.patch  |  159 ++
 network/patches/0110-vlan-Validate-ID.patch   |  110 ++
 ...hich-will-stop-the-program-immediate.patch |   48 +
 ...12-vlan-Add-support-for-802.1ad-QinQ.patch |  139 ++
 ...ry-to-start-Bird-during-boot-process.patch |   57 +
 ...-Break-when-asciidoc-cannot-be-found.patch |   27 +
 .../0115-Fix-creating-new-configs.patch       |   29 +
 .../0116-inetcalc-Fix-compiler-warnings.patch |   30 +
 ...p-separate-scripts-for-IPv6-and-IPv4.patch |   70 +
 ...stemd-Remove-double-firewall-scripts.patch |   76 +
 ...ewall-Add-init-action-to-main-script.patch |   54 +
 ...ll-Drop-initialisation-helper-script.patch |   79 +
 ...ert-firewall-Disable-PMTU-by-default.patch |   28 +
 ...irewall-Fix-reading-writing-settings.patch |  147 ++
 ...rewall-config-command-in-favour-of-f.patch |   80 +
 ...attempt-DFS-when-reg-domain-is-set-t.patch |   30 +
 ...ce-when-needed-and-not-already-runni.patch |   42 +
 ...unnel-Support-setting-MTU-on-tunnels.patch |   60 +
 ...firewall-Fix-generating-systemd-file.patch |   33 +
 ...8-Make-generating-man-pages-optional.patch |   69 +
 ...-Add-documentation-for-the-IPsec-VPN.patch |  135 ++
 ...130-Makefile-Add-network-vpn-ipsec-8.patch |   25 +
 ...icies-performance-Remove-CBC-ciphers.patch |   23 +
 .../0132-IPsec-Add-support-for-Curve448.patch |   65 +
 network/patches/0133-Disable-copybreak.patch  |  112 ++
 .../0134-configure-Check-for-libsystemd.patch |   25 +
 ...akefile-Add-scaffolding-for-networkd.patch |   93 +
 .../0136-networkd-Link-against-systemd.patch  |   34 +
 ...Tell-systemd-about-the-daemon-status.patch |   47 +
 ...etworkd-Create-a-simple-daemon-class.patch |  170 ++
 .../0139-networkd-Create-an-event-loop.patch  |  147 ++
 ...networkd-Enable-the-service-watchdog.patch |   31 +
 ...etworkd-Add-some-very-simple-logging.patch |  104 ++
 ...workd-Register-SIGTERM-SIGINT-SIGHUP.patch |   90 +
 ...Add-scaffolding-to-reload-the-daemon.patch |   93 +
 ...-system-extensions-to-define-_GNU_SO.patch |   27 +
 ...d-Add-scaffolding-to-connect-to-dbus.patch |  255 +++
 ...d-Add-scaffolding-for-config-objects.patch |  131 ++
 ...ffolding-to-read-configuration-files.patch |   94 +
 ...plement-setting-configuration-values.patch |  283 +++
 ...plement-reading-configuration-values.patch |   55 +
 ...mplement-writing-configuration-files.patch |   79 +
 ...etworkd-Read-main-configuration-file.patch |   54 +
 ...onfiguration-path-from-build-scripts.patch |   41 +
 ...3-networkd-Add-scaffolding-for-zones.patch |  192 ++
 ...networkd-Install-a-dbus-service-file.patch |   82 +
 .../0155-networkd-Install-a-dbus-policy.patch |   87 +
 ...onfigure-Tidy-up-dbus-path-detection.patch |   53 +
 ...on-sensical-CFLAGS-and-add-more-warn.patch |   77 +
 ...ork-Fix-prototype-of-network_version.patch |   26 +
 ...stemd-notifications-into-daemon-obje.patch |  104 ++
 ...Fix-incorrect-name-on-IPsec-man-page.patch |   45 +
 ...Install-some-simple-PolicyKit-policy.patch |   94 +
 ...nction-when-we-are-connected-to-dbus.patch |   51 +
 ...workd-Install-a-systemd-service-file.patch |  116 ++
 ...lly-implement-bus-handler-for-Reload.patch |   32 +
 ...d-Asynchronously-register-to-the-bus.patch |   28 +
 ...Split-flushing-all-entries-into-a-fu.patch |   71 +
 ...config-read-functions-to-not-create-.patch |   70 +
 ...he-path-with-the-configuration-objec.patch |  200 ++
 ...ry-to-read-configuration-automatical.patch |  137 ++
 ...kd-Read-all-zones-from-configuration.patch |  201 ++
 ...ate-a-unified-function-to-register-a.patch |  128 ++
 ...a-dummy-bus-implementation-for-zones.patch |   99 +
 ...emon-to-all-functions-called-by-the-.patch |   66 +
 ...kd-Move-zone-list-into-an-own-object.patch |  493 +++++
 ...plement-enumerating-zones-on-the-bus.patch |  238 +++
 ...zone-when-it-is-being-accessed-by-it.patch |  159 ++
 ...aemon-bus-implementation-into-a-sepa.patch |  175 ++
 ...d-a-test-bus-property-to-set-the-MTU.patch |  201 ++
 .../0179-networkd-Connect-to-udev.patch       |  203 +++
 ...-to-a-non-privileged-user-right-away.patch |  105 ++
 ...l-capabilities-except-a-few-we-would.patch |  195 ++
 ...ct-to-the-kernel-s-netlink-interface.patch |   95 +
 ...183-networkd-Link-against-libnetwork.patch |   25 +
 .../0184-networkd-Add-a-link-object.patch     |  145 ++
 ...5-networkd-Add-a-container-for-links.patch |  303 +++
 ...workd-Enumerate-all-links-on-startup.patch |  172 ++
 ...ate-a-link-object-for-each-interface.patch |  362 ++++
 ...workd-Only-add-link-if-we-created-it.patch |   38 +
 .../0189-networkd-Import-interface-name.patch |  106 ++
 .../patches/0190-networkd-Read-link-MTU.patch |   96 +
 ...Actually-return-entry-instead-of-fre.patch |   27 +
 ...Implement-reading-configuration-file.patch |  139 ++
 ...3-networkd-Add-scaffolding-for-ports.patch |  159 ++
 .../0194-networkd-Add-port-container.patch    |  240 +++
 ...-networkd-Enumerate-ports-on-startup.patch |  247 +++
 ...erform-port-setup-from-configuration.patch |  147 ++
 ...-Ethernet-address-from-configuration.patch |  145 ++
 ...e-a-random-Ethernet-address-for-port.patch |   93 +
 ...ce-address-flags-for-better-readabil.patch |   43 +
 ...f-Ethernet-addresses-from-config-are.patch |   46 +
 ...0201-networkd-Export-ports-over-dbus.patch |  347 ++++
 ...-Fix-buffer-to-Ethernet-address-stri.patch |   27 +
 ...ts-Export-Ethernet-address-over-dbus.patch |  102 ++
 ...hod-to-fetch-corresponding-link-to-p.patch |  201 ++
 ...e-typedef-to-keep-type-names-shorter.patch | 1617 +++++++++++++++++
 ...re-a-reference-to-the-daemon-in-zone.patch |  180 ++
 ...-networkd-Refactor-enumerating-zones.patch |  231 +++
 ...-configuration-when-the-daemon-exits.patch |  239 +++
 .../0209-networkd-Store-any-flags.patch       |   69 +
 .../0210-networkd-Store-operstate-too.patch   |   59 +
 ...ction-to-check-whether-a-link-has-a-.patch |   96 +
 ...hods-to-check-zones-ports-for-carrie.patch |   92 +
 .../0213-networkd-Log-to-journald.patch       |  137 ++
 ...-networkd-Install-in-usr-lib-network.patch |   49 +
 ...5-networkctl-Create-some-scaffolding.patch |   94 +
 ...networkctl-Connect-to-the-system-bus.patch |   45 +
 ...-Add-some-help-and-version-arguments.patch |   94 +
 ...Implement-a-basic-command-dispatcher.patch |  172 ++
 ...orkd-Implement-ListZones-bus-command.patch |  169 ++
 ...tworkctl-Implement-zone-list-command.patch |  188 ++
 ...1-networkd-Fix-finding-links-by-name.patch |   56 +
 ...-Keep-a-permanent-reference-to-links.patch |   81 +
 ...-Keep-a-permanent-reference-to-links.patch |   89 +
 ...Add-functions-to-handle-boolean-valu.patch |   63 +
 ...reconfigure-all-ports-and-zones-on-s.patch |  210 +++
 ...26-networkd-Implement-deleting-links.patch |  147 ++
 ...ically-reference-dereference-links-t.patch |  368 ++++
 ...reate-dummy-function-to-create-links.patch |   46 +
 ...mon-Correctly-store-reference-to-bus.patch |  157 ++
 ...-stats-regulary-and-emit-them-on-dbu.patch |  667 +++++++
 ...ut-buffer-size-when-formatting-MAC-a.patch |   27 +
 ...-if-there-is-garbage-after-intergers.patch |   42 +
 ...oid-adding-empty-line-after-integers.patch |   26 +
 ...-Require-type-to-be-set-at-all-times.patch |  133 ++
 ...lement-reading-writing-VLAN-settings.patch |  287 +++
 ...36-ports-Implement-destroying-a-port.patch |  193 ++
 ...te-scaffolding-for-operations-struct.patch |  156 ++
 ...ts-Move-VLAN-stuff-into-its-own-file.patch |  591 ++++++
 ...-Implement-creating-links-from-ports.patch |  294 +++
 ...-ops-struct-as-we-will-need-to-store.patch |  219 +++
 ...ts-Implement-listing-ports-over-DBus.patch |  256 +++
 ...n-code-handling-when-listing-ports-z.patch |   56 +
 ...ect-to-come-back-after-creating-link.patch |   32 +
 ...nfigure-MAC-address-when-creating-li.patch |   34 +
 ...rts-Show-message-when-creating-ports.patch |   26 +
 .../0246-ports-Constify-info-struct.patch     |   80 +
 ...we-created-a-random-Ethernet-address.patch |   50 +
 ...-the-most-basic-supports-for-bonding.patch |  309 ++++
 ...AN-settings-into-its-own-header-file.patch |   64 +
 ...tworkctl-Fix-typo-in-bus-method-name.patch |   26 +
 ...a-function-the-generally-fetches-the.patch |  163 ++
 ...ompare-truthiness-case-insensitively.patch |   26 +
 .../0253-configure-Depend-on-JSON-C.patch     |   46 +
 ...thod-to-export-port-information-as-J.patch |  302 +++
 ...0255-networkctl-Fix-parsing-commands.patch |   52 +
 ...ment-dump-command-for-ports-which-sh.patch |   94 +
 ...s-to-easily-define-string-table-look.patch |   70 +
 ...s-VLAN-Implement-choosing-a-protocol.patch |  156 ++
 ...e-parser-to-easier-read-write-config.patch |  716 ++++++++
 ...bonding-Convert-mode-to-string-table.patch |   93 +
 ...ta-to-value-as-it-holds-a-reference-.patch |  221 +++
 ...config-Add-data-pointer-to-callbacks.patch |  255 +++
 ...Define-an-own-type-for-string-tables.patch |   75 +
 ...t-option-that-looks-up-string-tables.patch |  184 ++
 .../0265-ports-Store-the-parent-name.patch    |   32 +
 ...ts-VLAN-Make-all-constants-uppercase.patch |   49 +
 network/patches/0267-ports-Unify-type.patch   |  440 +++++
 ...s-Move-VLAN-constants-to-VLAN-header.patch |   46 +
 .../0269-ports-Drop-UNKNOWN-type.patch        |   48 +
 ...lement-scaffolding-for-configuration.patch |   74 +
 ...71-ports-VLAN-Validate-configuration.patch |   53 +
 ...rash-when-a-port-could-not-be-loaded.patch |   40 +
 ...functions-return-negative-values-on-.patch |   33 +
 ...etworkd-Parse-command-line-arguments.patch |  132 ++
 ...nfig-directory-and-keep-a-handle-to-.patch |  163 ++
 ...old-a-file-descriptor-instead-of-DIR.patch |   99 +
 ...tworkd-Add-a-simple-test-environment.patch |  197 ++
 ...nk-to-show-the-status-of-the-environ.patch |   48 +
 ...minate-after-showing-help-or-version.patch |   64 +
 ...ient-if-networkd-does-not-want-to-te.patch |   84 +
 ...etworkd-as-root-in-its-own-namespace.patch |   26 +
 ...282-ports-Refactor-enumerating-ports.patch |  636 +++++++
 ...st-that-creates-two-dummy-interfaces.patch |   67 +
 ...84-tests-Always-dump-the-environment.patch |   47 +
 ...re-information-from-test-environment.patch |   26 +
 ...ts-bonding-Use-correct-enum-for-mode.patch |   38 +
 .../0287-networkd-json-Include-string.h.patch |   25 +
 .../0288-ports-Add-support-for-VETH.patch     |  228 +++
 .../0289-config-Add-string-buffer-type.patch  |  264 +++
 .../0290-networkctl-Add-color-functions.patch |  176 ++
 ...l-Move-describe-into-an-own-function.patch |  106 ++
 ...-Implement-scaffolding-to-show-ports.patch |  145 ++
 ...-ports-Add-link-stuff-to-JSON-output.patch |   82 +
 ...link-Add-device-stuff-to-JSON-output.patch |  185 ++
 ...lding-for-physical-Ethernet-interfac.patch |  246 +++
 .../0296-logging-Add-WARNING-log-level.patch  |   25 +
 ...etworkd-Handle-any-uevents-for-links.patch |  148 ++
 ...e-udev-device-when-links-are-created.patch |   83 +
 ...p-uevent-when-the-device-is-renaming.patch |   60 +
 ...nt-smarter-handling-of-the-configura.patch |  951 ++++++++++
 ...ones-Move-struct-nw_zone-into-header.patch |  115 ++
 ...Drop-unused-configuration-file-paths.patch |   40 +
 network/patches/0303-util-Drop-nw_ftw.patch   |   77 +
 ...4-Makefile-Fix-typo-in-localstatedir.patch |   26 +
 network/patches/network-fix-logdir-path.patch |   23 -
 306 files changed, 40819 insertions(+), 24 deletions(-)
 create mode 100644 network/patches/0001-Bump-version-to-011.patch
 create mode 100644 network/patches/0002-bridge-Check-input-and-return-useful-errors.patch
 create mode 100644 network/patches/0003-bridge-Fix-assertion-for-MTU.patch
 create mode 100644 network/patches/0004-bridge-Reorder-functions-into-the-common-order.patch
 create mode 100644 network/patches/0005-bridge-Set-proper-defaults.patch
 create mode 100644 network/patches/0006-bridge-Order-arguments-in-alphabetical-order.patch
 create mode 100644 network/patches/0007-bridge-Add-option-to-missing-stp-max-age.patch
 create mode 100644 network/patches/0008-Remove-unused-function.patch
 create mode 100644 network/patches/0009-bonding-Validate-any-MAC-address-passed.patch
 create mode 100644 network/patches/0010-ip-tunnel-Set-TTL-to-255-by-default.patch
 create mode 100644 network/patches/0011-bird-Add-some-generic-configuration-file.patch
 create mode 100644 network/patches/0012-bird-Apply-static-routes-instead-of-doing-that-manua.patch
 create mode 100644 network/patches/0013-bird-Re-generate-configuration-when-network-is-initi.patch
 create mode 100644 network/patches/0014-dns-Always-enable-EDNS0.patch
 create mode 100644 network/patches/0015-wireless-ap-Use-automatic-channel-selection-ACS-by-d.patch
 create mode 100644 network/patches/0016-wireless-ap-Allow-to-disable-DFS-in-configuration.patch
 create mode 100644 network/patches/0017-hostapd-Disable-DFS-automatically-when-not-supported.patch
 create mode 100644 network/patches/0018-wireless-ap-Add-CLI-to-set-channel-bandwidth.patch
 create mode 100644 network/patches/0019-wireless-ap-Forgot-to-add-configuration-variables-to.patch
 create mode 100644 network/patches/0020-hostapd-Apply-channel-bandwidth-to-configuration.patch
 create mode 100644 network/patches/0021-wireless-ap-Enable-ACS-only-for-ath-devices.patch
 create mode 100644 network/patches/0022-wireless-ap-Allow-setting-the-wireless-environment-i.patch
 create mode 100644 network/patches/0023-hostapd-Remove-now-useless-comment.patch
 create mode 100644 network/patches/0024-hostapd-Always-enable-Transmit-Power-Control.patch
 create mode 100644 network/patches/0025-hostapd-Set-default-WMM-settings.patch
 create mode 100644 network/patches/0026-hostapd-Kick-stations-that-are-too-far-away.patch
 create mode 100644 network/patches/0027-hostapd-Always-qoute-SSID.patch
 create mode 100644 network/patches/0028-wireless-ap-Allow-to-enable-disable-802.11w-Manageme.patch
 create mode 100644 network/patches/0029-network-Show-when-a-PHY-supports-ACS.patch
 create mode 100644 network/patches/0030-Move-cli_device_status_phy-to-functions.phy.patch
 create mode 100644 network/patches/0031-hostapd-Dump-config-file-in-debug-mode.patch
 create mode 100644 network/patches/0032-wireless-ap-Automatically-enable-all-supported-ciphe.patch
 create mode 100644 network/patches/0033-hostapd-Enable-WPA-authentication-with-SHA256.patch
 create mode 100644 network/patches/0034-hooks-Automatically-set-defaults-for-all-port-hooks.patch
 create mode 100644 network/patches/0035-hooks-Import-zone-default-settings-too.patch
 create mode 100644 network/patches/0036-Convert-HOOK_SETTINGS-into-an-array.patch
 create mode 100644 network/patches/0037-settings-Some-code-refactoring.patch
 create mode 100644 network/patches/0038-ports-Drop-HOOK_SETTINGS-variable.patch
 create mode 100644 network/patches/0039-hotplug-Remove-multiple-copies-of-the-same-function.patch
 create mode 100644 network/patches/0040-wireless-ap-Remove-support-for-WPA.patch
 create mode 100644 network/patches/0041-wireless-ap-Add-support-for-WPA3-and-rewrite-WPA2.patch
 create mode 100644 network/patches/0042-hotplug-rename-Drop-unused-variable.patch
 create mode 100644 network/patches/0043-hostapd-Allow-WPA2-authentication-only-with-SHA256.patch
 create mode 100644 network/patches/0044-wireless-ap-Enable-802.11w-by-default.patch
 create mode 100644 network/patches/0045-hooks-Use-cli_get_bool-convenience-function-where-ev.patch
 create mode 100644 network/patches/0046-hook-Rename-HOOK_CONFIG_SETTINGS-to-HOOK_SETTINGS.patch
 create mode 100644 network/patches/0047-dhcp-Rename-enabled-from-configuration-parameters.patch
 create mode 100644 network/patches/0048-dhcp-Fix-syntax-error-in-last-commit.patch
 create mode 100644 network/patches/0049-hooks-Add-HOOK_UNIQUE-which-stops-us-from-creating-m.patch
 create mode 100644 network/patches/0050-wireless-ap-Check-that-secret-has-the-correct-length.patch
 create mode 100644 network/patches/0051-Drop-old-locking-functions.patch
 create mode 100644 network/patches/0052-ip-tunnel-Enable-support-for-6in4-tunnels.patch
 create mode 100644 network/patches/0053-lock-Cleanup-lock-files.patch
 create mode 100644 network/patches/0054-hostapd-Require-MFP-for-SAE-when-it-is-enabled.patch
 create mode 100644 network/patches/0055-bird-Write-IPv6-router-advertisement-configuration.patch
 create mode 100644 network/patches/0056-Drop-code-for-radvd.patch
 create mode 100644 network/patches/0057-.gitignore-Ignore-vim-s-swp-files.patch
 create mode 100644 network/patches/0058-bird-Make-sure-the-daemon-is-always-running.patch
 create mode 100644 network/patches/0059-configure-Require-asciidoc.patch
 create mode 100644 network/patches/0060-man-Add-test-page-for-asciidoc.patch
 create mode 100644 network/patches/0061-man-Use-asciidoc-to-generate-HTML-pages-directly.patch
 create mode 100644 network/patches/0062-man-Add-asciidoc-configuration-file.patch
 create mode 100644 network/patches/0063-man-Convert-network-8-from-docbook-to-asciidoc.patch
 create mode 100644 network/patches/0064-man-Convert-network-color-8-to-asciidoc.patch
 create mode 100644 network/patches/0065-man-Drop-test-page.patch
 create mode 100644 network/patches/0066-man-network-color-Add-synopsis.patch
 create mode 100644 network/patches/0067-man-Convert-firewall-settings-to-asciidoc.patch
 create mode 100644 network/patches/0068-man-Convert-network-description-8-to-asciidoc.patch
 create mode 100644 network/patches/0069-man-Convert-network-device-8-to-asciidoc.patch
 create mode 100644 network/patches/0070-man-Convert-network-dhcp-8-to-asciidoc.patch
 create mode 100644 network/patches/0071-man-Convert-network-dns-server-8-to-asciidoc.patch
 create mode 100644 network/patches/0072-man-Convert-network-performance-tuning-8-to-asciidoc.patch
 create mode 100644 network/patches/0073-man-Convert-network-port-8-to-asciidoc.patch
 create mode 100644 network/patches/0074-man-Converting-network-quick-start-8-to-asciidoc.patch
 create mode 100644 network/patches/0075-man-Use-include-for-color-commands.patch
 create mode 100644 network/patches/0076-man-Drop-old-network-color-8-man-page.patch
 create mode 100644 network/patches/0077-man-Fix-page-headers.patch
 create mode 100644 network/patches/0078-man-Convert-network-route-8-to-asciidoc.patch
 create mode 100644 network/patches/0079-.gitignore-Ignore-DS_Store.patch
 create mode 100644 network/patches/0080-man-Convert-network-route-static-8-to-asciidoc.patch
 create mode 100644 network/patches/0081-man-Convert-network-settings-8-to-asciidoc.patch
 create mode 100644 network/patches/0082-man-Convert-network-vpn-8-to-asciidoc.patch
 create mode 100644 network/patches/0083-man-Convert-network-vpn-security-policies-8-to-ascii.patch
 create mode 100644 network/patches/0084-man-Convert-network-zone-8-to-asciidoc.patch
 create mode 100644 network/patches/0085-man-Convert-network-zone-bridge-8-to-asciidoc.patch
 create mode 100644 network/patches/0086-man-Convert-network-zone-config-pppoe-server-8-to-as.patch
 create mode 100644 network/patches/0087-man-Convert-network-zone-ip-tunnel-8-to-asciidoc.patch
 create mode 100644 network/patches/0088-man-Convert-network-zone-modem-8-to-asciidoc.patch
 create mode 100644 network/patches/0089-man-Convert-network-zone-pppoe-8-to-asciidoc.patch
 create mode 100644 network/patches/0090-man-Convert-network-zone-wireless-8-to-asciidoc.patch
 create mode 100644 network/patches/0091-man-Cleanup-XML-files.patch
 create mode 100644 network/patches/0092-man-Make-distcheck-happy.patch
 create mode 100644 network/patches/0093-man-Include-include-files-in-tarball.patch
 create mode 100644 network/patches/0094-man-network-route-static-Fix-name.patch
 create mode 100644 network/patches/0095-Makefile-Add-target-to-upload-HTML-man-pages.patch
 create mode 100644 network/patches/0096-man-Do-not-generate-HTML-documentation-in-normal-bui.patch
 create mode 100644 network/patches/0097-man-Fix-authorship-warnings.patch
 create mode 100644 network/patches/0098-man-Make-syntax-format-more-similar-across-files.patch
 create mode 100644 network/patches/0099-hooks-Add-overwritable-function-to-determine-the-por.patch
 create mode 100644 network/patches/0100-vlan-Convert-hook-to-use-parse_cmdline-function.patch
 create mode 100644 network/patches/0101-vlan-Validate-and-always-set-MAC-address.patch
 create mode 100644 network/patches/0102-vlan-Fail-when-unknown-command-line-parameters-are-b.patch
 create mode 100644 network/patches/0103-vlan-Rename-PARENT_DEVICE-to-PARENT_PORT.patch
 create mode 100644 network/patches/0104-vlan-Check-if-parent-device-exists-before-bringing-i.patch
 create mode 100644 network/patches/0105-vlan-Simplify-vlan_remove.patch
 create mode 100644 network/patches/0106-vlan-Refactor-vlan_create.patch
 create mode 100644 network/patches/0107-vlan-Create-partent-port-if-necessary.patch
 create mode 100644 network/patches/0108-vlan-Drop-ebtables-stuff.patch
 create mode 100644 network/patches/0109-vlan-Rename-tag-to-id.patch
 create mode 100644 network/patches/0110-vlan-Validate-ID.patch
 create mode 100644 network/patches/0111-util-Add-abort-which-will-stop-the-program-immediate.patch
 create mode 100644 network/patches/0112-vlan-Add-support-for-802.1ad-QinQ.patch
 create mode 100644 network/patches/0113-Do-not-try-to-start-Bird-during-boot-process.patch
 create mode 100644 network/patches/0114-configure-Break-when-asciidoc-cannot-be-found.patch
 create mode 100644 network/patches/0115-Fix-creating-new-configs.patch
 create mode 100644 network/patches/0116-inetcalc-Fix-compiler-warnings.patch
 create mode 100644 network/patches/0117-firewall-Drop-separate-scripts-for-IPv6-and-IPv4.patch
 create mode 100644 network/patches/0118-systemd-Remove-double-firewall-scripts.patch
 create mode 100644 network/patches/0119-firewall-Add-init-action-to-main-script.patch
 create mode 100644 network/patches/0120-firewall-Drop-initialisation-helper-script.patch
 create mode 100644 network/patches/0121-Revert-firewall-Disable-PMTU-by-default.patch
 create mode 100644 network/patches/0122-firewall-Fix-reading-writing-settings.patch
 create mode 100644 network/patches/0123-firewall-Drop-firewall-config-command-in-favour-of-f.patch
 create mode 100644 network/patches/0124-wireless-Do-not-attempt-DFS-when-reg-domain-is-set-t.patch
 create mode 100644 network/patches/0125-bird-Start-service-when-needed-and-not-already-runni.patch
 create mode 100644 network/patches/0126-ip-tunnel-Support-setting-MTU-on-tunnels.patch
 create mode 100644 network/patches/0127-firewall-Fix-generating-systemd-file.patch
 create mode 100644 network/patches/0128-Make-generating-man-pages-optional.patch
 create mode 100644 network/patches/0129-Add-documentation-for-the-IPsec-VPN.patch
 create mode 100644 network/patches/0130-Makefile-Add-network-vpn-ipsec-8.patch
 create mode 100644 network/patches/0131-security-policies-performance-Remove-CBC-ciphers.patch
 create mode 100644 network/patches/0132-IPsec-Add-support-for-Curve448.patch
 create mode 100644 network/patches/0133-Disable-copybreak.patch
 create mode 100644 network/patches/0134-configure-Check-for-libsystemd.patch
 create mode 100644 network/patches/0135-Makefile-Add-scaffolding-for-networkd.patch
 create mode 100644 network/patches/0136-networkd-Link-against-systemd.patch
 create mode 100644 network/patches/0137-networkd-Tell-systemd-about-the-daemon-status.patch
 create mode 100644 network/patches/0138-networkd-Create-a-simple-daemon-class.patch
 create mode 100644 network/patches/0139-networkd-Create-an-event-loop.patch
 create mode 100644 network/patches/0140-networkd-Enable-the-service-watchdog.patch
 create mode 100644 network/patches/0141-networkd-Add-some-very-simple-logging.patch
 create mode 100644 network/patches/0142-networkd-Register-SIGTERM-SIGINT-SIGHUP.patch
 create mode 100644 network/patches/0143-networkd-Add-scaffolding-to-reload-the-daemon.patch
 create mode 100644 network/patches/0144-configure-Enable-system-extensions-to-define-_GNU_SO.patch
 create mode 100644 network/patches/0145-networkd-Add-scaffolding-to-connect-to-dbus.patch
 create mode 100644 network/patches/0146-networkd-Add-scaffolding-for-config-objects.patch
 create mode 100644 network/patches/0147-networkd-Add-scaffolding-to-read-configuration-files.patch
 create mode 100644 network/patches/0148-networkd-Implement-setting-configuration-values.patch
 create mode 100644 network/patches/0149-networkd-Implement-reading-configuration-values.patch
 create mode 100644 network/patches/0150-networkd-Implement-writing-configuration-files.patch
 create mode 100644 network/patches/0151-networkd-Read-main-configuration-file.patch
 create mode 100644 network/patches/0152-networkd-Set-configuration-path-from-build-scripts.patch
 create mode 100644 network/patches/0153-networkd-Add-scaffolding-for-zones.patch
 create mode 100644 network/patches/0154-networkd-Install-a-dbus-service-file.patch
 create mode 100644 network/patches/0155-networkd-Install-a-dbus-policy.patch
 create mode 100644 network/patches/0156-configure-Tidy-up-dbus-path-detection.patch
 create mode 100644 network/patches/0157-configure-Drop-non-sensical-CFLAGS-and-add-more-warn.patch
 create mode 100644 network/patches/0158-libnetwork-Fix-prototype-of-network_version.patch
 create mode 100644 network/patches/0159-networkd-Move-systemd-notifications-into-daemon-obje.patch
 create mode 100644 network/patches/0160-man-Fix-incorrect-name-on-IPsec-man-page.patch
 create mode 100644 network/patches/0161-networkd-Install-some-simple-PolicyKit-policy.patch
 create mode 100644 network/patches/0162-networkd-Call-function-when-we-are-connected-to-dbus.patch
 create mode 100644 network/patches/0163-networkd-Install-a-systemd-service-file.patch
 create mode 100644 network/patches/0164-networkd-Fully-implement-bus-handler-for-Reload.patch
 create mode 100644 network/patches/0165-networkd-Asynchronously-register-to-the-bus.patch
 create mode 100644 network/patches/0166-networkd-config-Split-flushing-all-entries-into-a-fu.patch
 create mode 100644 network/patches/0167-networkd-Change-config-read-functions-to-not-create-.patch
 create mode 100644 network/patches/0168-networkd-Store-the-path-with-the-configuration-objec.patch
 create mode 100644 network/patches/0169-networkd-zones-Try-to-read-configuration-automatical.patch
 create mode 100644 network/patches/0170-networkd-Read-all-zones-from-configuration.patch
 create mode 100644 network/patches/0171-networkd-bus-Create-a-unified-function-to-register-a.patch
 create mode 100644 network/patches/0172-networkd-Add-a-dummy-bus-implementation-for-zones.patch
 create mode 100644 network/patches/0173-networkd-Pass-daemon-to-all-functions-called-by-the-.patch
 create mode 100644 network/patches/0174-networkd-Move-zone-list-into-an-own-object.patch
 create mode 100644 network/patches/0175-networkd-Implement-enumerating-zones-on-the-bus.patch
 create mode 100644 network/patches/0176-networkd-Return-zone-when-it-is-being-accessed-by-it.patch
 create mode 100644 network/patches/0177-networkd-Split-daemon-bus-implementation-into-a-sepa.patch
 create mode 100644 network/patches/0178-networkd-Add-a-test-bus-property-to-set-the-MTU.patch
 create mode 100644 network/patches/0179-networkd-Connect-to-udev.patch
 create mode 100644 network/patches/0180-networkd-Change-to-a-non-privileged-user-right-away.patch
 create mode 100644 network/patches/0181-networkd-Drop-all-capabilities-except-a-few-we-would.patch
 create mode 100644 network/patches/0182-networkd-Connect-to-the-kernel-s-netlink-interface.patch
 create mode 100644 network/patches/0183-networkd-Link-against-libnetwork.patch
 create mode 100644 network/patches/0184-networkd-Add-a-link-object.patch
 create mode 100644 network/patches/0185-networkd-Add-a-container-for-links.patch
 create mode 100644 network/patches/0186-networkd-Enumerate-all-links-on-startup.patch
 create mode 100644 network/patches/0187-networkd-Create-a-link-object-for-each-interface.patch
 create mode 100644 network/patches/0188-networkd-Only-add-link-if-we-created-it.patch
 create mode 100644 network/patches/0189-networkd-Import-interface-name.patch
 create mode 100644 network/patches/0190-networkd-Read-link-MTU.patch
 create mode 100644 network/patches/0191-networkd-config-Actually-return-entry-instead-of-fre.patch
 create mode 100644 network/patches/0192-networkd-config-Implement-reading-configuration-file.patch
 create mode 100644 network/patches/0193-networkd-Add-scaffolding-for-ports.patch
 create mode 100644 network/patches/0194-networkd-Add-port-container.patch
 create mode 100644 network/patches/0195-networkd-Enumerate-ports-on-startup.patch
 create mode 100644 network/patches/0196-networkd-Perform-port-setup-from-configuration.patch
 create mode 100644 network/patches/0197-networkd-Read-Ethernet-address-from-configuration.patch
 create mode 100644 network/patches/0198-networkd-Generate-a-random-Ethernet-address-for-port.patch
 create mode 100644 network/patches/0199-networkd-Introduce-address-flags-for-better-readabil.patch
 create mode 100644 network/patches/0200-networkd-Check-if-Ethernet-addresses-from-config-are.patch
 create mode 100644 network/patches/0201-networkd-Export-ports-over-dbus.patch
 create mode 100644 network/patches/0202-networkd-address-Fix-buffer-to-Ethernet-address-stri.patch
 create mode 100644 network/patches/0203-networkd-ports-Export-Ethernet-address-over-dbus.patch
 create mode 100644 network/patches/0204-networkd-Add-method-to-fetch-corresponding-link-to-p.patch
 create mode 100644 network/patches/0205-networkd-Use-typedef-to-keep-type-names-shorter.patch
 create mode 100644 network/patches/0206-networkd-Store-a-reference-to-the-daemon-in-zone.patch
 create mode 100644 network/patches/0207-networkd-Refactor-enumerating-zones.patch
 create mode 100644 network/patches/0208-networkd-Save-configuration-when-the-daemon-exits.patch
 create mode 100644 network/patches/0209-networkd-Store-any-flags.patch
 create mode 100644 network/patches/0210-networkd-Store-operstate-too.patch
 create mode 100644 network/patches/0211-networkd-Add-function-to-check-whether-a-link-has-a-.patch
 create mode 100644 network/patches/0212-networkd-Add-methods-to-check-zones-ports-for-carrie.patch
 create mode 100644 network/patches/0213-networkd-Log-to-journald.patch
 create mode 100644 network/patches/0214-networkd-Install-in-usr-lib-network.patch
 create mode 100644 network/patches/0215-networkctl-Create-some-scaffolding.patch
 create mode 100644 network/patches/0216-networkctl-Connect-to-the-system-bus.patch
 create mode 100644 network/patches/0217-networkctl-Add-some-help-and-version-arguments.patch
 create mode 100644 network/patches/0218-networkctl-Implement-a-basic-command-dispatcher.patch
 create mode 100644 network/patches/0219-networkd-Implement-ListZones-bus-command.patch
 create mode 100644 network/patches/0220-networkctl-Implement-zone-list-command.patch
 create mode 100644 network/patches/0221-networkd-Fix-finding-links-by-name.patch
 create mode 100644 network/patches/0222-networkd-ports-Keep-a-permanent-reference-to-links.patch
 create mode 100644 network/patches/0223-networkd-zones-Keep-a-permanent-reference-to-links.patch
 create mode 100644 network/patches/0224-networkd-config-Add-functions-to-handle-boolean-valu.patch
 create mode 100644 network/patches/0225-networkd-Try-to-reconfigure-all-ports-and-zones-on-s.patch
 create mode 100644 network/patches/0226-networkd-Implement-deleting-links.patch
 create mode 100644 network/patches/0227-networkd-Automatically-reference-dereference-links-t.patch
 create mode 100644 network/patches/0228-networkd-ports-Create-dummy-function-to-create-links.patch
 create mode 100644 network/patches/0229-networkd-daemon-Correctly-store-reference-to-bus.patch
 create mode 100644 network/patches/0230-networkd-Collect-stats-regulary-and-emit-them-on-dbu.patch
 create mode 100644 network/patches/0231-address-Fix-output-buffer-size-when-formatting-MAC-a.patch
 create mode 100644 network/patches/0232-config-Fail-if-there-is-garbage-after-intergers.patch
 create mode 100644 network/patches/0233-config-Avoid-adding-empty-line-after-integers.patch
 create mode 100644 network/patches/0234-ports-Require-type-to-be-set-at-all-times.patch
 create mode 100644 network/patches/0235-port-Implement-reading-writing-VLAN-settings.patch
 create mode 100644 network/patches/0236-ports-Implement-destroying-a-port.patch
 create mode 100644 network/patches/0237-ports-Create-scaffolding-for-operations-struct.patch
 create mode 100644 network/patches/0238-ports-Move-VLAN-stuff-into-its-own-file.patch
 create mode 100644 network/patches/0239-ports-Implement-creating-links-from-ports.patch
 create mode 100644 network/patches/0240-ports-Rename-the-ops-struct-as-we-will-need-to-store.patch
 create mode 100644 network/patches/0241-ports-Implement-listing-ports-over-DBus.patch
 create mode 100644 network/patches/0242-daemon-Fix-return-code-handling-when-listing-ports-z.patch
 create mode 100644 network/patches/0243-ports-Do-not-expect-to-come-back-after-creating-link.patch
 create mode 100644 network/patches/0244-ports-Set-the-configure-MAC-address-when-creating-li.patch
 create mode 100644 network/patches/0245-ports-Show-message-when-creating-ports.patch
 create mode 100644 network/patches/0246-ports-Constify-info-struct.patch
 create mode 100644 network/patches/0247-ports-Log-when-we-created-a-random-Ethernet-address.patch
 create mode 100644 network/patches/0248-ports-Add-the-most-basic-supports-for-bonding.patch
 create mode 100644 network/patches/0249-ports-Move-VLAN-settings-into-its-own-header-file.patch
 create mode 100644 network/patches/0250-networkctl-Fix-typo-in-bus-method-name.patch
 create mode 100644 network/patches/0251-ports-Implement-a-function-the-generally-fetches-the.patch
 create mode 100644 network/patches/0252-config-Compare-truthiness-case-insensitively.patch
 create mode 100644 network/patches/0253-configure-Depend-on-JSON-C.patch
 create mode 100644 network/patches/0254-ports-Add-bus-method-to-export-port-information-as-J.patch
 create mode 100644 network/patches/0255-networkctl-Fix-parsing-commands.patch
 create mode 100644 network/patches/0256-networkctl-Implement-dump-command-for-ports-which-sh.patch
 create mode 100644 network/patches/0257-string-Add-macros-to-easily-define-string-table-look.patch
 create mode 100644 network/patches/0258-ports-VLAN-Implement-choosing-a-protocol.patch
 create mode 100644 network/patches/0259-config-Extend-the-parser-to-easier-read-write-config.patch
 create mode 100644 network/patches/0260-ports-bonding-Convert-mode-to-string-table.patch
 create mode 100644 network/patches/0261-config-Rename-data-to-value-as-it-holds-a-reference-.patch
 create mode 100644 network/patches/0262-config-Add-data-pointer-to-callbacks.patch
 create mode 100644 network/patches/0263-string-Define-an-own-type-for-string-tables.patch
 create mode 100644 network/patches/0264-config-Implement-option-that-looks-up-string-tables.patch
 create mode 100644 network/patches/0265-ports-Store-the-parent-name.patch
 create mode 100644 network/patches/0266-ports-VLAN-Make-all-constants-uppercase.patch
 create mode 100644 network/patches/0267-ports-Unify-type.patch
 create mode 100644 network/patches/0268-ports-Move-VLAN-constants-to-VLAN-header.patch
 create mode 100644 network/patches/0269-ports-Drop-UNKNOWN-type.patch
 create mode 100644 network/patches/0270-ports-Implement-scaffolding-for-configuration.patch
 create mode 100644 network/patches/0271-ports-VLAN-Validate-configuration.patch
 create mode 100644 network/patches/0272-daemon-Don-t-crash-when-a-port-could-not-be-loaded.patch
 create mode 100644 network/patches/0273-string-Have-all-functions-return-negative-values-on-.patch
 create mode 100644 network/patches/0274-networkd-Parse-command-line-arguments.patch
 create mode 100644 network/patches/0275-networkd-Open-config-directory-and-keep-a-handle-to-.patch
 create mode 100644 network/patches/0276-networkd-Hold-a-file-descriptor-instead-of-DIR.patch
 create mode 100644 network/patches/0277-networkd-Add-a-simple-test-environment.patch
 create mode 100644 network/patches/0278-test-Run-ip-d-link-to-show-the-status-of-the-environ.patch
 create mode 100644 network/patches/0279-networkctl-Terminate-after-showing-help-or-version.patch
 create mode 100644 network/patches/0280-test-Be-less-patient-if-networkd-does-not-want-to-te.patch
 create mode 100644 network/patches/0281-test-Run-networkd-as-root-in-its-own-namespace.patch
 create mode 100644 network/patches/0282-ports-Refactor-enumerating-ports.patch
 create mode 100644 network/patches/0283-tests-Add-new-test-that-creates-two-dummy-interfaces.patch
 create mode 100644 network/patches/0284-tests-Always-dump-the-environment.patch
 create mode 100644 network/patches/0285-test-Collect-more-information-from-test-environment.patch
 create mode 100644 network/patches/0286-ports-bonding-Use-correct-enum-for-mode.patch
 create mode 100644 network/patches/0287-networkd-json-Include-string.h.patch
 create mode 100644 network/patches/0288-ports-Add-support-for-VETH.patch
 create mode 100644 network/patches/0289-config-Add-string-buffer-type.patch
 create mode 100644 network/patches/0290-networkctl-Add-color-functions.patch
 create mode 100644 network/patches/0291-networkctl-Move-describe-into-an-own-function.patch
 create mode 100644 network/patches/0292-networkctl-Implement-scaffolding-to-show-ports.patch
 create mode 100644 network/patches/0293-ports-Add-link-stuff-to-JSON-output.patch
 create mode 100644 network/patches/0294-link-Add-device-stuff-to-JSON-output.patch
 create mode 100644 network/patches/0295-ports-Add-scaffolding-for-physical-Ethernet-interfac.patch
 create mode 100644 network/patches/0296-logging-Add-WARNING-log-level.patch
 create mode 100644 network/patches/0297-networkd-Handle-any-uevents-for-links.patch
 create mode 100644 network/patches/0298-links-Initialize-udev-device-when-links-are-created.patch
 create mode 100644 network/patches/0299-link-Skip-uevent-when-the-device-is-renaming.patch
 create mode 100644 network/patches/0300-networkd-Implement-smarter-handling-of-the-configura.patch
 create mode 100644 network/patches/0301-zones-Move-struct-nw_zone-into-header.patch
 create mode 100644 network/patches/0302-Drop-unused-configuration-file-paths.patch
 create mode 100644 network/patches/0303-util-Drop-nw_ftw.patch
 create mode 100644 network/patches/0304-Makefile-Fix-typo-in-localstatedir.patch
 delete mode 100644 network/patches/network-fix-logdir-path.patch
  

Patch

diff --git a/network/network.nm b/network/network.nm
index 85a9d15b3..2df8135b2 100644
--- a/network/network.nm
+++ b/network/network.nm
@@ -5,7 +5,7 @@ 
 
 name       = network
 version    = 010
-release    = 5
+release    = 6
 
 maintainer = Michael Tremer <michael.tremer@ipfire.org>
 groups     = Base Networking/Tools
@@ -24,9 +24,12 @@  source_dl  = https://source.ipfire.org/releases/network/
 
 build
 	requires
+		asciidoc
 		autoconf
 		automake
 		docbook-xsl
+		json-c-devel
+		libcap-devel
 		libnl3-devel
 		libxslt
 		systemd-devel
diff --git a/network/patches/0001-Bump-version-to-011.patch b/network/patches/0001-Bump-version-to-011.patch
new file mode 100644
index 000000000..2b9422662
--- /dev/null
+++ b/network/patches/0001-Bump-version-to-011.patch
@@ -0,0 +1,26 @@ 
+From af91a344198a1f3c47dc18905870818a0758d427 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 24 Sep 2018 21:55:51 +0100
+Subject: [PATCH 001/304] Bump version to 011
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 9baab31..08e9089 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -21,7 +21,7 @@
+ AC_PREREQ([2.64])
+ 
+ AC_INIT([network],
+-	[010],
++	[011],
+ 	[info@ipfire.org],
+ 	[network],
+ 	[http://www.ipfire.org/])
+-- 
+2.39.2
+
diff --git a/network/patches/0002-bridge-Check-input-and-return-useful-errors.patch b/network/patches/0002-bridge-Check-input-and-return-useful-errors.patch
new file mode 100644
index 000000000..91cbdec60
--- /dev/null
+++ b/network/patches/0002-bridge-Check-input-and-return-useful-errors.patch
@@ -0,0 +1,144 @@ 
+From b99bbd83b94d380bd07dcace8fb0e95b76b01e9f Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 24 Sep 2018 23:13:22 +0200
+Subject: [PATCH 002/304] bridge: Check input and return useful errors
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/hooks/zones/bridge | 80 +++++++++++++++++++++++++++++++++---------
+ 1 file changed, 63 insertions(+), 17 deletions(-)
+
+diff --git a/src/hooks/zones/bridge b/src/hooks/zones/bridge
+index 38b2b5f..838a513 100644
+--- a/src/hooks/zones/bridge
++++ b/src/hooks/zones/bridge
+@@ -23,13 +23,12 @@
+ 
+ HOOK_MANPAGE="network-zone-bridge"
+ 
+-HOOK_SETTINGS="HOOK STP STP_FORWARD_DELAY STP_HELLO STP_MAXAGE"
+-HOOK_SETTINGS="${HOOK_SETTINGS} STP_PRIORITY MAC MTU"
++HOOK_SETTINGS="HOOK ADDRESS STP STP_FORWARD_DELAY STP_HELLO STP_MAXAGE"
++HOOK_SETTINGS="${HOOK_SETTINGS} STP_PRIORITY MTU"
+ 
+ HOOK_PORT_SETTINGS="COST PRIORITY"
+ 
+ # Default values
+-MAC=""
+ MTU=1500
+ STP="on"
+ STP_FORWARD_DELAY=0
+@@ -38,7 +37,9 @@ STP_MAXAGE=20
+ STP_PRIORITY=512
+ 
+ hook_check_settings() {
+-	assert ismac MAC
++	assert ismac ADDRESS
++
++	# Spanning Tree Protocol
+ 	assert isbool STP
+ 	assert isinteger STP_HELLO
+ 	assert isinteger STP_FORWARD_DELAY
+@@ -49,33 +50,78 @@ hook_check_settings() {
+ hook_parse_cmdline() {
+ 	while [ $# -gt 0 ]; do
+ 		case "${1}" in
++			--address=*)
++				ADDRESS="$(cli_get_val "${1}")"
++
++				if ! mac_is_valid "${ADDRESS}"; then
++					error "Invalid MAC address: ${ADDRESS}"
++					return ${EXIT_ERROR}
++				fi
++				;;
++
++			--mtu=*)
++				MTU="$(cli_get_val "${1}")"
++
++				if ! mtu_is_valid "ethernet" "${MTU}"; then
++					error "Invalid MTU: ${MTU}"
++					return ${EXIT_ERROR}
++				fi
++				;;
++
+ 			--stp=*)
+-				STP=${1#--stp=}
++				STP="$(cli_get_val "${1}")"
++
++				if enabled STP; then
++					STP="on"
++				elif disabled STP; then
++					STP="off"
++				else
++					error "Invalid value for STP: ${STP}"
++					return ${EXIT_ERROR}
++				fi
+ 				;;
++
+ 			--stp-hello=*)
+-				STP_HELLO=${1#--stp-hello=}
++				STP_HELLO="$(cli_get_val "${1}")"
++
++				if ! isinteger STP_HELLO; then
++					error "Invalid STP hello time: ${STP_HELLO}"
++					return ${EXIT_ERROR}
++				fi
+ 				;;
++
+ 			--stp-forward-delay=*)
+-				STP_FORWARD_DELAY=${1#--stp-forward-delay=}
++				STP_FORWARD_DELAY="$(cli_get_val "${1}")"
++
++				if ! isinteger STP_FORWARD_DELAY; then
++					error "Invalid STP forwarding delay: ${STP_FORWARD_DELAY}"
++					return ${EXIT_ERROR}
++				fi
+ 				;;
++
+ 			--stp-priority=*)
+-				STP_PRIORITY=${1#--stp-priority=}
+-				;;
+-			--mtu=*)
+-				MTU=${1#--mtu=}
+-				;;
+-			--mac=*)
+-				MAC=${1#--mac=}
++				STP_PRIORITY="$(cli_get_val "${1}")"
++
++				if ! isinteger STP_PRIORITY; then
++					error "Invalid STP priority: ${STP_PRIORITY}"
++					return ${EXIT_ERROR}
++				fi
+ 				;;
++
+ 			*)
+-				warning "Ignoring unknown option '${1}'"
++				error "Unknown argument: ${1}"
++				return ${EXIT_ERROR}
+ 				;;
+ 		esac
+ 		shift
+ 	done
+ 
+ 	# Generate a random MAC address if the user passed no one
+-	isset MAC || MAC="$(mac_generate)"
++	if isset ADDRESS; then
++		ADDRESS="$(mac_generate)"
++	fi
++
++	return ${EXIT_OK}
+ }
+ 
+ hook_up() {
+@@ -87,7 +133,7 @@ hook_up() {
+ 	# Create the bridge if it does not already exist.
+ 	if ! device_exists "${zone}"; then
+ 		bridge_create "${zone}" \
+-			--address="${MAC}" \
++			--address="${ADDRESS}" \
+ 			--mtu="${MTU}"
+ 	fi
+ 
+-- 
+2.39.2
+
diff --git a/network/patches/0003-bridge-Fix-assertion-for-MTU.patch b/network/patches/0003-bridge-Fix-assertion-for-MTU.patch
new file mode 100644
index 000000000..ce712991d
--- /dev/null
+++ b/network/patches/0003-bridge-Fix-assertion-for-MTU.patch
@@ -0,0 +1,32 @@ 
+From d95e2fdc65aeeca72ef326102f26727199b27b95 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 24 Sep 2018 23:15:26 +0200
+Subject: [PATCH 003/304] bridge: Fix assertion for MTU
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/hooks/zones/bridge | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/hooks/zones/bridge b/src/hooks/zones/bridge
+index 838a513..d610814 100644
+--- a/src/hooks/zones/bridge
++++ b/src/hooks/zones/bridge
+@@ -38,13 +38,13 @@ STP_PRIORITY=512
+ 
+ hook_check_settings() {
+ 	assert ismac ADDRESS
++	assert isset MTU && assert mtu_is_valid "ethernet" "${MTU}"
+ 
+ 	# Spanning Tree Protocol
+ 	assert isbool STP
+ 	assert isinteger STP_HELLO
+ 	assert isinteger STP_FORWARD_DELAY
+ 	assert isinteger STP_PRIORITY
+-	assert isinteger MTU
+ }
+ 
+ hook_parse_cmdline() {
+-- 
+2.39.2
+
diff --git a/network/patches/0004-bridge-Reorder-functions-into-the-common-order.patch b/network/patches/0004-bridge-Reorder-functions-into-the-common-order.patch
new file mode 100644
index 000000000..d2a3d3810
--- /dev/null
+++ b/network/patches/0004-bridge-Reorder-functions-into-the-common-order.patch
@@ -0,0 +1,127 @@ 
+From 1fc4b3cac15c709b3a6f4a3171265a5cff793f47 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 24 Sep 2018 23:17:30 +0200
+Subject: [PATCH 004/304] bridge: Reorder functions into the common order
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/hooks/zones/bridge | 96 +++++++++++++++++++++---------------------
+ 1 file changed, 49 insertions(+), 47 deletions(-)
+
+diff --git a/src/hooks/zones/bridge b/src/hooks/zones/bridge
+index d610814..fb81673 100644
+--- a/src/hooks/zones/bridge
++++ b/src/hooks/zones/bridge
+@@ -172,53 +172,6 @@ hook_up() {
+ 	exit ${EXIT_OK}
+ }
+ 
+-hook_hotplug() {
+-	local zone="${1}"
+-	assert isset zone
+-
+-	case "$(hotplug_action)" in
+-		add)
+-			# Attach all ports when zone is coming up
+-			if hotplug_event_interface_is_zone "${zone}"; then
+-				# Bring up all ports
+-				local port
+-				for port in $(zone_get_ports "${zone}"); do
+-					log DEBUG "Trying to attach port ${port} to ${zone}"
+-
+-					hook_port_up "${zone}" "${port}"
+-				done
+-
+-			# Handle ports of this zone that have just been added
+-			elif hotplug_event_interface_is_port_of_zone "${zone}"; then
+-				# Attach the device if the parent bridge is up
+-				if zone_is_active "${zone}"; then
+-					hook_port_up "${zone}" "${INTERFACE}"
+-				fi
+-			fi
+-			;;
+-		remove)
+-			if hotplug_event_interface_is_zone "${zone}"; then
+-				# Bring down/destroy all ports
+-				local port
+-				for port in $(zone_get_ports "${zone}"); do
+-					log DEBUG "Trying to detach port ${port} from ${zone}"
+-
+-					hook_port_down "${zone}" "${port}"
+-				done
+-
+-			# Handle ports of this zone that have just been removed
+-			elif hotplug_event_interface_is_port_of_zone "${zone}"; then
+-				hook_port_down "${zone}" "${INTERFACE}"
+-			fi
+-			;;
+-		*)
+-			exit ${EXIT_NOT_HANDLED}
+-			;;
+-	esac
+-
+-	exit ${EXIT_OK}
+-}
+-
+ hook_down() {
+ 	local zone="${1}"
+ 	assert isset zone
+@@ -294,6 +247,55 @@ hook_status() {
+ 	exit ${EXIT_OK}
+ }
+ 
++hook_hotplug() {
++	local zone="${1}"
++	assert isset zone
++
++	case "$(hotplug_action)" in
++		add)
++			# Attach all ports when zone is coming up
++			if hotplug_event_interface_is_zone "${zone}"; then
++				# Bring up all ports
++				local port
++				for port in $(zone_get_ports "${zone}"); do
++					log DEBUG "Trying to attach port ${port} to ${zone}"
++
++					hook_port_up "${zone}" "${port}"
++				done
++
++			# Handle ports of this zone that have just been added
++			elif hotplug_event_interface_is_port_of_zone "${zone}"; then
++				# Attach the device if the parent bridge is up
++				if zone_is_active "${zone}"; then
++					hook_port_up "${zone}" "${INTERFACE}"
++				fi
++			fi
++			;;
++
++		remove)
++			if hotplug_event_interface_is_zone "${zone}"; then
++				# Bring down/destroy all ports
++				local port
++				for port in $(zone_get_ports "${zone}"); do
++					log DEBUG "Trying to detach port ${port} from ${zone}"
++
++					hook_port_down "${zone}" "${port}"
++				done
++
++			# Handle ports of this zone that have just been removed
++			elif hotplug_event_interface_is_port_of_zone "${zone}"; then
++				hook_port_down "${zone}" "${INTERFACE}"
++			fi
++			;;
++
++		*)
++			exit ${EXIT_NOT_HANDLED}
++			;;
++	esac
++
++	exit ${EXIT_OK}
++}
++
+ hook_check_port_settings() {
+ 	if isset COST; then
+ 		assert isinteger COST
+-- 
+2.39.2
+
diff --git a/network/patches/0005-bridge-Set-proper-defaults.patch b/network/patches/0005-bridge-Set-proper-defaults.patch
new file mode 100644
index 000000000..adbe32bea
--- /dev/null
+++ b/network/patches/0005-bridge-Set-proper-defaults.patch
@@ -0,0 +1,78 @@ 
+From c259c985bc98ad89350f81b68db58925163a43eb Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 24 Sep 2018 23:29:25 +0200
+Subject: [PATCH 005/304] bridge: Set proper defaults
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.hook | 12 ++++++++++++
+ src/hooks/zones/bridge       | 20 +++++++++++++-------
+ 2 files changed, 25 insertions(+), 7 deletions(-)
+
+diff --git a/src/functions/functions.hook b/src/functions/functions.hook
+index ad51ad5..2f3ced0 100644
+--- a/src/functions/functions.hook
++++ b/src/functions/functions.hook
+@@ -124,6 +124,18 @@ hook_help() {
+ 	exit $?
+ }
+ 
++# Sets all settings in HOOK_SETTINGS to their DEFAULT_* values
++hook_set_defaults() {
++	local setting
++	for setting in ${HOOK_SETTINGS}; do
++		local default="DEFAULT_${setting}"
++
++		if isset ${default}; then
++			assign "${setting}" "${!default}"
++		fi
++	done
++}
++
+ config_get_hook() {
+ 	local config=${1}
+ 
+diff --git a/src/hooks/zones/bridge b/src/hooks/zones/bridge
+index fb81673..1144ba0 100644
+--- a/src/hooks/zones/bridge
++++ b/src/hooks/zones/bridge
+@@ -29,12 +29,10 @@ HOOK_SETTINGS="${HOOK_SETTINGS} STP_PRIORITY MTU"
+ HOOK_PORT_SETTINGS="COST PRIORITY"
+ 
+ # Default values
+-MTU=1500
+-STP="on"
+-STP_FORWARD_DELAY=0
+-STP_HELLO=2
+-STP_MAXAGE=20
+-STP_PRIORITY=512
++DEFAULT_STP_FORWARD_DELAY=0
++DEFAULT_STP_HELLO=2
++DEFAULT_STP_MAXAGE=20
++DEFAULT_STP_PRIORITY=512
+ 
+ hook_check_settings() {
+ 	assert ismac ADDRESS
+@@ -117,10 +115,18 @@ hook_parse_cmdline() {
+ 	done
+ 
+ 	# Generate a random MAC address if the user passed no one
+-	if isset ADDRESS; then
++	if ! isset ADDRESS; then
+ 		ADDRESS="$(mac_generate)"
+ 	fi
+ 
++	# Enable Spanning Tree Protocol by default
++	if ! isset STP; then
++		STP="on"
++	fi
++
++	# Set all other defaults
++	hook_set_defaults
++
+ 	return ${EXIT_OK}
+ }
+ 
+-- 
+2.39.2
+
diff --git a/network/patches/0006-bridge-Order-arguments-in-alphabetical-order.patch b/network/patches/0006-bridge-Order-arguments-in-alphabetical-order.patch
new file mode 100644
index 000000000..95f14cad5
--- /dev/null
+++ b/network/patches/0006-bridge-Order-arguments-in-alphabetical-order.patch
@@ -0,0 +1,46 @@ 
+From b76b7d88a5fc7271e9a16d4acb531cdfe45f3957 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 24 Sep 2018 23:31:43 +0200
+Subject: [PATCH 006/304] bridge: Order arguments in alphabetical order
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/hooks/zones/bridge | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/src/hooks/zones/bridge b/src/hooks/zones/bridge
+index 1144ba0..98aaef8 100644
+--- a/src/hooks/zones/bridge
++++ b/src/hooks/zones/bridge
+@@ -79,20 +79,20 @@ hook_parse_cmdline() {
+ 				fi
+ 				;;
+ 
+-			--stp-hello=*)
+-				STP_HELLO="$(cli_get_val "${1}")"
++			--stp-forward-delay=*)
++				STP_FORWARD_DELAY="$(cli_get_val "${1}")"
+ 
+-				if ! isinteger STP_HELLO; then
+-					error "Invalid STP hello time: ${STP_HELLO}"
++				if ! isinteger STP_FORWARD_DELAY; then
++					error "Invalid STP forwarding delay: ${STP_FORWARD_DELAY}"
+ 					return ${EXIT_ERROR}
+ 				fi
+ 				;;
+ 
+-			--stp-forward-delay=*)
+-				STP_FORWARD_DELAY="$(cli_get_val "${1}")"
++			--stp-hello=*)
++				STP_HELLO="$(cli_get_val "${1}")"
+ 
+-				if ! isinteger STP_FORWARD_DELAY; then
+-					error "Invalid STP forwarding delay: ${STP_FORWARD_DELAY}"
++				if ! isinteger STP_HELLO; then
++					error "Invalid STP hello time: ${STP_HELLO}"
+ 					return ${EXIT_ERROR}
+ 				fi
+ 				;;
+-- 
+2.39.2
+
diff --git a/network/patches/0007-bridge-Add-option-to-missing-stp-max-age.patch b/network/patches/0007-bridge-Add-option-to-missing-stp-max-age.patch
new file mode 100644
index 000000000..0a48d11c1
--- /dev/null
+++ b/network/patches/0007-bridge-Add-option-to-missing-stp-max-age.patch
@@ -0,0 +1,33 @@ 
+From 0f8d47058e6dedc5f20caf367a5296647ec950d1 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 24 Sep 2018 23:32:40 +0200
+Subject: [PATCH 007/304] bridge: Add option to missing --stp-max-age=
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/hooks/zones/bridge | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/hooks/zones/bridge b/src/hooks/zones/bridge
+index 98aaef8..93a3a31 100644
+--- a/src/hooks/zones/bridge
++++ b/src/hooks/zones/bridge
+@@ -97,6 +97,15 @@ hook_parse_cmdline() {
+ 				fi
+ 				;;
+ 
++			--stp-max-age=*)
++				STP_MAXAGE="$(cli_get_val "${1}")"
++
++				if ! isinteger STP_MAXAGE; then
++					error "Invalid STP max age: ${STP_MAXAGE}"
++					return ${EXIT_ERROR}
++				fi
++				;;
++
+ 			--stp-priority=*)
+ 				STP_PRIORITY="$(cli_get_val "${1}")"
+ 
+-- 
+2.39.2
+
diff --git a/network/patches/0008-Remove-unused-function.patch b/network/patches/0008-Remove-unused-function.patch
new file mode 100644
index 000000000..90cdc0976
--- /dev/null
+++ b/network/patches/0008-Remove-unused-function.patch
@@ -0,0 +1,29 @@ 
+From 5b29153cd4527392d6ca4bf8d3cba491db8d490e Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 1 Oct 2018 00:07:37 +0200
+Subject: [PATCH 008/304] Remove unused function
+
+Fixes: #11423
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.zone | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/src/functions/functions.zone b/src/functions/functions.zone
+index b9d475f..57e0b71 100644
+--- a/src/functions/functions.zone
++++ b/src/functions/functions.zone
+@@ -619,10 +619,6 @@ zone_config_list() {
+ 	done
+ }
+ 
+-zone_config_show() {
+-	zone_config_cmd "show" "$@"
+-}
+-
+ # Returns a list of all used ids for a zone
+ zone_config_list_ids() {
+ 	assert [ $# -eq 1 ]
+-- 
+2.39.2
+
diff --git a/network/patches/0009-bonding-Validate-any-MAC-address-passed.patch b/network/patches/0009-bonding-Validate-any-MAC-address-passed.patch
new file mode 100644
index 000000000..91c45617c
--- /dev/null
+++ b/network/patches/0009-bonding-Validate-any-MAC-address-passed.patch
@@ -0,0 +1,33 @@ 
+From 7b9557028a381206c573e42a7f5294d20aa0609b Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 1 Oct 2018 01:02:27 +0200
+Subject: [PATCH 009/304] bonding; Validate any MAC address passed
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/hooks/ports/bonding | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/hooks/ports/bonding b/src/hooks/ports/bonding
+index 2880a78..40d849f 100644
+--- a/src/hooks/ports/bonding
++++ b/src/hooks/ports/bonding
+@@ -39,8 +39,14 @@ hook_parse_cmdline() {
+ 	while [ $# -gt 0 ]; do
+ 		case "${1}" in
+ 			--address=*)
+-				ADDRESS=$(cli_get_val "${1}")
++				ADDRESS="$(cli_get_val "${1}")"
++
++				if ! mac_is_valid "${ADDRESS}"; then
++					error "Invalid MAC address: ${ADDRESS}"
++					return ${EXIT_ERROR}
++				fi
+ 				;;
++
+ 			--miimon=*)
+ 				MIIMON=$(cli_get_val "${1}")
+ 				;;
+-- 
+2.39.2
+
diff --git a/network/patches/0010-ip-tunnel-Set-TTL-to-255-by-default.patch b/network/patches/0010-ip-tunnel-Set-TTL-to-255-by-default.patch
new file mode 100644
index 000000000..6f8a943c4
--- /dev/null
+++ b/network/patches/0010-ip-tunnel-Set-TTL-to-255-by-default.patch
@@ -0,0 +1,34 @@ 
+From ae2c5b2b954bfc5282f0ef359d0960a2cd610e14 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 3 Dec 2018 13:38:13 +0100
+Subject: [PATCH 010/304] ip-tunnel: Set TTL to 255 by default
+
+By default, the Linux kernel inherits the TTL of the transported
+packet. Usually with BGP, the TTL is deliberately set to 1 or very
+low numbers which causes the packet to be dropped after the first
+hop.
+
+Since the tunnel should be routed, we set this to a default value
+of 255 and ignore the TTL of the encapsulated packet.
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.ip-tunnel | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/functions/functions.ip-tunnel b/src/functions/functions.ip-tunnel
+index 1184a84..11eb3c7 100644
+--- a/src/functions/functions.ip-tunnel
++++ b/src/functions/functions.ip-tunnel
+@@ -77,7 +77,7 @@ ip_tunnel_add() {
+ 	shift
+ 
+ 	local mode
+-	local ttl
++	local ttl=255
+ 
+ 	local address
+ 	local remote_address
+-- 
+2.39.2
+
diff --git a/network/patches/0011-bird-Add-some-generic-configuration-file.patch b/network/patches/0011-bird-Add-some-generic-configuration-file.patch
new file mode 100644
index 000000000..d89917387
--- /dev/null
+++ b/network/patches/0011-bird-Add-some-generic-configuration-file.patch
@@ -0,0 +1,107 @@ 
+From 6a1b0fb170c7d66559935a6a4f8ee0e2bfdbf485 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 16 Dec 2018 17:10:47 +0000
+Subject: [PATCH 011/304] bird: Add some generic configuration file
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ Makefile.am                  |  1 +
+ src/functions/functions.bird | 74 ++++++++++++++++++++++++++++++++++++
+ 2 files changed, 75 insertions(+)
+ create mode 100644 src/functions/functions.bird
+
+diff --git a/Makefile.am b/Makefile.am
+index 399652e..0139f95 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -127,6 +127,7 @@ EXTRA_DIST += \
+ dist_network_DATA = \
+ 	src/functions/functions.at \
+ 	src/functions/functions.auth \
++	src/functions/functions.bird \
+ 	src/functions/functions.bonding \
+ 	src/functions/functions.bridge \
+ 	src/functions/functions.cli \
+diff --git a/src/functions/functions.bird b/src/functions/functions.bird
+new file mode 100644
+index 0000000..9c8b006
+--- /dev/null
++++ b/src/functions/functions.bird
+@@ -0,0 +1,74 @@
++#!/bin/bash
++###############################################################################
++#                                                                             #
++# IPFire.org - A linux based firewall                                         #
++# Copyright (C) 2018  IPFire Network Development Team                         #
++#                                                                             #
++# This program is free software: you can redistribute it and/or modify        #
++# it under the terms of the GNU General Public License as published by        #
++# the Free Software Foundation, either version 3 of the License, or           #
++# (at your option) any later version.                                         #
++#                                                                             #
++# This program is distributed in the hope that it will be useful,             #
++# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
++# GNU General Public License for more details.                                #
++#                                                                             #
++# You should have received a copy of the GNU General Public License           #
++# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
++#                                                                             #
++###############################################################################
++
++BIRD_CONF="/etc/bird.conf"
++
++bird_start() {
++	service_start "bird.service"
++}
++
++bird_stop() {
++	service_stop "bird.service"
++}
++
++bird_reload() {
++	service_reload "bird.service"
++}
++
++bird_generate_config() {
++	log DEBUG "Write BIRD configuration file"
++
++	# Write header
++	config_header "bird" > ${BIRD_CONF}
++
++	# Write some basic settings
++	local proto
++	(
++		print "# Log everything to syslog"
++		print "log syslog all;"
++		print
++
++		print "# Turn on internal watchdog"
++		print "watchdog warning 5s;"
++		print "watchdog timeout 30s;"
++		print
++
++		print "# Define default route tables"
++		print "ipv6 table master6;"
++		print "ipv4 table master4;"
++
++		print "# Enable device configuration"
++		print "protocol device {}"
++		print
++
++		print "# Export all routes to kernel"
++		for proto in ipv6 ipv4; do
++			print "protocol kernel {"
++			print "	${proto} {"
++			print "		table ${proto/ipv/master};"
++			print "		export all;"
++			print "	};"
++			print "	learn;"
++			print "}"
++			print
++		done
++	) >> ${BIRD_CONF}
++}
+-- 
+2.39.2
+
diff --git a/network/patches/0012-bird-Apply-static-routes-instead-of-doing-that-manua.patch b/network/patches/0012-bird-Apply-static-routes-instead-of-doing-that-manua.patch
new file mode 100644
index 000000000..887df6386
--- /dev/null
+++ b/network/patches/0012-bird-Apply-static-routes-instead-of-doing-that-manua.patch
@@ -0,0 +1,146 @@ 
+From 0a5787976dd85db212fc5046c85d2aad6c64da5c Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 16 Dec 2018 17:47:57 +0000
+Subject: [PATCH 012/304] bird: Apply static routes instead of doing that
+ manually with ip
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.bird    | 52 ++++++++++++++++++++++++++++++++-
+ src/functions/functions.route   | 38 +++---------------------
+ src/functions/functions.routing |  3 --
+ 3 files changed, 55 insertions(+), 38 deletions(-)
+
+diff --git a/src/functions/functions.bird b/src/functions/functions.bird
+index 9c8b006..c6fea32 100644
+--- a/src/functions/functions.bird
++++ b/src/functions/functions.bird
+@@ -60,7 +60,7 @@ bird_generate_config() {
+ 		print
+ 
+ 		print "# Export all routes to kernel"
+-		for proto in ipv6 ipv4; do
++		for proto in ${IP_SUPPORTED_PROTOCOLS}; do
+ 			print "protocol kernel {"
+ 			print "	${proto} {"
+ 			print "		table ${proto/ipv/master};"
+@@ -71,4 +71,54 @@ bird_generate_config() {
+ 			print
+ 		done
+ 	) >> ${BIRD_CONF}
++
++	# Static routes
++	for proto in ${IP_SUPPORTED_PROTOCOLS}; do
++		print "protocol static {"
++		print "	${proto};"
++		print
++
++		# Read routes for this protocol from configuration
++		__bird_static_routes "${proto}"
++
++		print "}"
++		print
++	done >> ${BIRD_CONF}
++}
++
++__bird_static_routes() {
++	local proto="${1}"
++	assert isset proto
++
++	local ${NETWORK_CONFIG_ROUTES_PARAMS}
++	local line
++	while read line; do
++		route_parse_line "${line}"
++		[ $? -eq ${EXIT_OK} ] || continue
++
++		local type
++		local arg
++		for arg in unreachable prohibit blackhole; do
++			if enabled "${arg}"; then
++				type="${arg}"
++				break
++			fi
++		done
++
++		# Skip all routes of another protocol
++		local _proto="$(ip_detect_protocol "${network}")"
++		if [ "${proto}" != "${_proto}" ]; then
++			continue
++		fi
++
++		case "${type}" in
++			unreachable|prohibit|blackhole)
++				print "	route ${network} ${type};"
++				;;
++
++			*)
++				print "	route ${network} via ${gateway};"
++				;;
++		esac
++	done < ${NETWORK_CONFIG_ROUTES}
+ }
+diff --git a/src/functions/functions.route b/src/functions/functions.route
+index 7ca4f59..e6ea244 100644
+--- a/src/functions/functions.route
++++ b/src/functions/functions.route
+@@ -393,41 +393,11 @@ route_parse_line() {
+ }
+ 
+ route_apply() {
+-	local table="static"
+-	local type
++	# Re-generate BIRD configuration
++	bird_generate_config
+ 
+-	log DEBUG "Applying static routes..."
+-
+-	# Flush the routing table.
+-	route_table_flush ${table}
+-
+-	local ${NETWORK_CONFIG_ROUTES_PARAMS}
+-	local line
+-	while read line; do
+-		route_parse_line ${line}
+-		[ $? -eq ${EXIT_OK} ] || continue
+-
+-		type="unicast"
+-		local arg
+-		for arg in unreachable prohibit blackhole; do
+-			if enabled ${arg}; then
+-				type="${arg}"
+-				break
+-			fi
+-		done
+-
+-		# Add the route.
+-		route_entry_add ${network} --table="static" --proto="static" \
+-			--type="${type}" --gateway="${gateway}" --mtu="${mtu}"
+-		local ret=$?
+-
+-		if [ ${ret} -ne ${EXIT_OK} ]; then
+-			log WARNING "Could not set route '${network}'."
+-		fi
+-	done < ${NETWORK_CONFIG_ROUTES}
+-
+-	# Create a lookup rule for the static routing table.
+-	route_rule_add --lookup="static" --priority=1000
++	# Reload the daemon
++	bird_reload
+ }
+ 
+ route_entry_add() {
+diff --git a/src/functions/functions.routing b/src/functions/functions.routing
+index 2436585..c7aac09 100644
+--- a/src/functions/functions.routing
++++ b/src/functions/functions.routing
+@@ -181,7 +181,4 @@ routing_update() {
+ 	cmd ${routing_cmd}
+ 
+ 	cmd ${ip_cmd} rule add from ${local_ip_address} lookup ${table}
+-
+-	# Apply all static routes
+-	route_apply
+ }
+-- 
+2.39.2
+
diff --git a/network/patches/0013-bird-Re-generate-configuration-when-network-is-initi.patch b/network/patches/0013-bird-Re-generate-configuration-when-network-is-initi.patch
new file mode 100644
index 000000000..1c3458ec4
--- /dev/null
+++ b/network/patches/0013-bird-Re-generate-configuration-when-network-is-initi.patch
@@ -0,0 +1,28 @@ 
+From eb6b47dcc7d5d541064ad90787ae55df3c3a8453 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 16 Dec 2018 17:55:25 +0000
+Subject: [PATCH 013/304] bird: (Re-)generate configuration when network is
+ initialised
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/network | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/network b/src/network
+index 69d77d5..b8f734e 100644
+--- a/src/network
++++ b/src/network
+@@ -1410,6 +1410,9 @@ case "${action}" in
+ 		# Update resolv.conf(5) when initializing the network
+ 		dns_generate_resolvconf
+ 
++		# Update bird configuration
++		bird_generate_config
++
+ 		# Also execute all triggers
+ 		triggers_execute_all "init"
+ 		;;
+-- 
+2.39.2
+
diff --git a/network/patches/0014-dns-Always-enable-EDNS0.patch b/network/patches/0014-dns-Always-enable-EDNS0.patch
new file mode 100644
index 000000000..bd8ce2427
--- /dev/null
+++ b/network/patches/0014-dns-Always-enable-EDNS0.patch
@@ -0,0 +1,32 @@ 
+From c27b38b437fa82a2227d554f4855c116395995ce Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Wed, 13 Feb 2019 17:45:05 +0000
+Subject: [PATCH 014/304] dns: Always enable EDNS0
+
+This is for all DNS queries originating from the firewall.
+
+Since we have had DNS Flag Day, we are expecting all DNS servers
+to support this now. If not, then you are very unlucky.
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.dns | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/functions/functions.dns b/src/functions/functions.dns
+index 4cd5cb4..890f1ac 100644
+--- a/src/functions/functions.dns
++++ b/src/functions/functions.dns
+@@ -245,6 +245,9 @@ dns_generate_resolvconf() {
+ 
+ 	config_header "resolver configutation file" > ${file}
+ 
++	# Always enable EDNS0
++	print "option edns0\n" >> "${file}"
++
+ 	if enabled DNS_RANDOMIZE; then
+ 		print "option rotate\n" >> ${file}
+ 	fi
+-- 
+2.39.2
+
diff --git a/network/patches/0015-wireless-ap-Use-automatic-channel-selection-ACS-by-d.patch b/network/patches/0015-wireless-ap-Use-automatic-channel-selection-ACS-by-d.patch
new file mode 100644
index 000000000..9b6099b56
--- /dev/null
+++ b/network/patches/0015-wireless-ap-Use-automatic-channel-selection-ACS-by-d.patch
@@ -0,0 +1,27 @@ 
+From 469bc87f91538d668a32f9c38a3d8b1b4679c7ae Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 18 Mar 2019 19:46:06 +0100
+Subject: [PATCH 015/304] wireless-ap: Use automatic channel selection (ACS) by
+ default
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/hooks/ports/wireless-ap | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/hooks/ports/wireless-ap b/src/hooks/ports/wireless-ap
+index 32d1a5a..52ca238 100644
+--- a/src/hooks/ports/wireless-ap
++++ b/src/hooks/ports/wireless-ap
+@@ -28,7 +28,7 @@ HOOK_SETTINGS="${HOOK_SETTINGS} ENCRYPTION KEY"
+ 
+ ADDRESS=$(mac_generate)
+ BROADCAST_SSID=on
+-CHANNEL=1
++CHANNEL=0
+ ENCRYPTION=""
+ KEY=""
+ SSID=
+-- 
+2.39.2
+
diff --git a/network/patches/0016-wireless-ap-Allow-to-disable-DFS-in-configuration.patch b/network/patches/0016-wireless-ap-Allow-to-disable-DFS-in-configuration.patch
new file mode 100644
index 000000000..717b30550
--- /dev/null
+++ b/network/patches/0016-wireless-ap-Allow-to-disable-DFS-in-configuration.patch
@@ -0,0 +1,102 @@ 
+From 7b297fb22fb16db920d68224b232e5acc652688a Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 18 Mar 2019 19:58:25 +0100
+Subject: [PATCH 016/304] wireless-ap: Allow to disable DFS in configuration
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.hostapd   | 10 +++++++++-
+ src/helpers/hostapd-config-helper |  1 +
+ src/hooks/ports/wireless-ap       | 16 ++++++++++++++++
+ 3 files changed, 26 insertions(+), 1 deletion(-)
+
+diff --git a/src/functions/functions.hostapd b/src/functions/functions.hostapd
+index 3f64e79..e19f9b3 100644
+--- a/src/functions/functions.hostapd
++++ b/src/functions/functions.hostapd
+@@ -36,6 +36,7 @@ hostapd_config_write() {
+ 	local broadcast_ssid
+ 	local channel
+ 	local country_code="$(wireless_get_reg_domain)"
++	local dfs="on"
+ 	local encryption
+ 	local key
+ 	local mode
+@@ -50,6 +51,9 @@ hostapd_config_write() {
+ 			--channel=*)
+ 				channel=$(cli_get_val "${1}")
+ 				;;
++			--dfs=*)
++				dfs="$(cli_get_val "${1}")"
++				;;
+ 			--encryption=*)
+ 				encryption=$(cli_get_val "${1}")
+ 				;;
+@@ -177,7 +181,11 @@ hostapd_config_write() {
+ 		print "ieee80211d=1"
+ 
+ 		# Enable Radar Detection
+-		print "ieee80211h=1"
++		if enabled dfs; then
++			print "ieee80211h=1"
++		else
++			print "ieee80211h=0"
++		fi
+ 
+ 		print # empty line
+ 
+diff --git a/src/helpers/hostapd-config-helper b/src/helpers/hostapd-config-helper
+index cb12af0..30d3456 100644
+--- a/src/helpers/hostapd-config-helper
++++ b/src/helpers/hostapd-config-helper
+@@ -40,6 +40,7 @@ case "${action}" in
+ 		hostapd_config_write ${port} ${config_file} \
+ 			--broadcast-ssid="${BROADCAST_SSID}" \
+ 			--channel="${CHANNEL}" \
++			--dfs="${DFS}" \
+ 			--encryption="${ENCRYPTION}" \
+ 			--key="${KEY}" \
+ 			--mode="${MODE}" \
+diff --git a/src/hooks/ports/wireless-ap b/src/hooks/ports/wireless-ap
+index 52ca238..49c0a84 100644
+--- a/src/hooks/ports/wireless-ap
++++ b/src/hooks/ports/wireless-ap
+@@ -33,12 +33,16 @@ ENCRYPTION=""
+ KEY=""
+ SSID=
+ 
++# Perform radar detection by default when possible
++DFS="on"
++
+ hook_check_settings() {
+ 	assert isset ADDRESS
+ 	assert ismac ADDRESS
+ 	assert isset BROADCAST_SSID
+ 	assert isbool BROADCAST_SSID
+ 	assert isset CHANNEL
++	assert isbool DFS
+ 	assert isset MODE
+ 	assert isoneof MODE ${HOSTAPD_SUPPORTED_MODES}
+ 	assert isset PHY
+@@ -63,6 +67,18 @@ hook_parse_cmdline() {
+ 			--channel=*)
+ 				CHANNEL=$(cli_get_val "${1}")
+ 				;;
++			--dfs=*)
++				DFS="$(cli_get_val "${1}")"
++
++				if enabled DFS; then
++					DFS="on"
++				elif disabled DFS; then
++					DFS="off"
++				else
++					error "Invalid value for DFS: ${DFS}"
++					return ${EXIT_ERROR}
++				fi
++				;;
+ 			--encryption=*)
+ 				ENCRYPTION=$(cli_get_val "${1}")
+ 				;;
+-- 
+2.39.2
+
diff --git a/network/patches/0017-hostapd-Disable-DFS-automatically-when-not-supported.patch b/network/patches/0017-hostapd-Disable-DFS-automatically-when-not-supported.patch
new file mode 100644
index 000000000..a087dc1a1
--- /dev/null
+++ b/network/patches/0017-hostapd-Disable-DFS-automatically-when-not-supported.patch
@@ -0,0 +1,99 @@ 
+From dc6d97fbf2064365f5b84496a77227b4e3ca03d6 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 18 Mar 2019 20:10:56 +0100
+Subject: [PATCH 017/304] hostapd: Disable DFS automatically when not supported
+ by hardware
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.hostapd  |  2 +-
+ src/functions/functions.phy      | 22 ++++++++++++++++++++++
+ src/functions/functions.wireless | 13 +++++++++++++
+ src/network                      |  7 +++++++
+ 4 files changed, 43 insertions(+), 1 deletion(-)
+
+diff --git a/src/functions/functions.hostapd b/src/functions/functions.hostapd
+index e19f9b3..b855994 100644
+--- a/src/functions/functions.hostapd
++++ b/src/functions/functions.hostapd
+@@ -181,7 +181,7 @@ hostapd_config_write() {
+ 		print "ieee80211d=1"
+ 
+ 		# Enable Radar Detection
+-		if enabled dfs; then
++		if enabled dfs && wireless_supports_dfs "${device}"; then
+ 			print "ieee80211h=1"
+ 		else
+ 			print "ieee80211h=0"
+diff --git a/src/functions/functions.phy b/src/functions/functions.phy
+index 96287a5..064ca7b 100644
+--- a/src/functions/functions.phy
++++ b/src/functions/functions.phy
+@@ -188,3 +188,25 @@ phy_supports_ht_capability() {
+ 
+ 	list_match "${capability}" $(__phy_list_ht_capabilities "${phy}")
+ }
++
++# Returns TRUE if the PHY supports DFS
++phy_supports_dfs() {
++	local phy="${1}"
++	assert isset phy
++
++	local driver="$(phy_get_driver "${phy}")"
++	if ! isset driver; then
++		return ${EXIT_ERROR}
++	fi
++
++	# This is basically a whilelist of drivers which support this
++	# There is no better detection
++	case "${driver}" in
++		ath10k_*|ath9k|ath5k)
++			return ${EXIT_TRUE}
++			;;
++		*)
++			return ${EXIT_FALSE}
++			;;
++	esac
++}
+diff --git a/src/functions/functions.wireless b/src/functions/functions.wireless
+index 3608e11..221866e 100644
+--- a/src/functions/functions.wireless
++++ b/src/functions/functions.wireless
+@@ -515,3 +515,16 @@ wireless_get_vht_caps() {
+ 
+ 	network-phy-list-vht-caps "${phy}"
+ }
++
++wireless_supports_dfs() {
++	local device="${1}"
++	assert isset device
++
++	local phy="$(device_get_phy "${device}")"
++	if ! isset phy; then
++		log ERROR "Could not determine PHY for ${device}"
++		return ${EXIT_ERROR}
++	fi
++
++	phy_supports_dfs "${phy}"
++}
+diff --git a/src/network b/src/network
+index b8f734e..de2e663 100644
+--- a/src/network
++++ b/src/network
+@@ -277,6 +277,13 @@ cli_device_status_phy() {
+ 		cli_space
+ 	fi
+ 
++	cli_headline 2 "Features"
++
++	cli_print_fmt1 2 "DFS" \
++		"$(phy_supports_dfs "${phy}" && print "Supported" || print "Not Supported")"
++
++	cli_space
++
+ 	return ${EXIT_OK}
+ }
+ 
+-- 
+2.39.2
+
diff --git a/network/patches/0018-wireless-ap-Add-CLI-to-set-channel-bandwidth.patch b/network/patches/0018-wireless-ap-Add-CLI-to-set-channel-bandwidth.patch
new file mode 100644
index 000000000..ef53e6273
--- /dev/null
+++ b/network/patches/0018-wireless-ap-Add-CLI-to-set-channel-bandwidth.patch
@@ -0,0 +1,87 @@ 
+From 54094fc7ae1bc17e8d8361f7758d9404f1eeff02 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 18 Mar 2019 20:50:44 +0100
+Subject: [PATCH 018/304] wireless-ap: Add CLI to set channel bandwidth
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.wireless | 20 ++++++++++++++++++++
+ src/hooks/ports/wireless-ap      | 10 ++++++++++
+ 2 files changed, 30 insertions(+)
+
+diff --git a/src/functions/functions.wireless b/src/functions/functions.wireless
+index 221866e..0437d27 100644
+--- a/src/functions/functions.wireless
++++ b/src/functions/functions.wireless
+@@ -29,6 +29,14 @@ WIRELESS_DEFAULT_ENCRYPTION_MODE="NONE"
+ WIRELESS_VALID_ENCRYPTION_MODES="WPA2-PSK-SHA256 WPA2-PSK \
+ 	WPA-PSK-SHA256 WPA-PSK NONE"
+ 
++declare -A WIRELESS_CHANNEL_BANDWIDTHS=(
++	["802.11ac"]="20 40 80 160 80+80"
++	["802.11a/n"]="20 40"
++	["802.11a"]="20 40"
++	["802.11g/n"]="20 40"
++	["802.11g"]="20 40"
++)
++
+ cli_wireless() {
+ 	local action=${1}
+ 	shift 1
+@@ -309,6 +317,18 @@ wireless_channel_is_valid() {
+ 	return ${EXIT_FALSE}
+ }
+ 
++wireless_channel_bandwidth_is_valid() {
++	local mode="${1}"
++	assert isset mode
++
++	local bandwidth="${2}"
++	assert isset bandwidth
++
++	local bandwidths="${WIRELESS_CHANNEL_BANDWIDTHS["${mode}"]}"
++
++	list_match "${bandwidth}" ${bandwidths}
++}
++
+ wireless_channel_is_ht40_plus() {
+ 	local channel="${1}"
+ 	assert isinteger channel
+diff --git a/src/hooks/ports/wireless-ap b/src/hooks/ports/wireless-ap
+index 49c0a84..8b626bf 100644
+--- a/src/hooks/ports/wireless-ap
++++ b/src/hooks/ports/wireless-ap
+@@ -29,6 +29,7 @@ HOOK_SETTINGS="${HOOK_SETTINGS} ENCRYPTION KEY"
+ ADDRESS=$(mac_generate)
+ BROADCAST_SSID=on
+ CHANNEL=0
++CHANNEL_BANDWIDTH=
+ ENCRYPTION=""
+ KEY=""
+ SSID=
+@@ -67,6 +68,9 @@ hook_parse_cmdline() {
+ 			--channel=*)
+ 				CHANNEL=$(cli_get_val "${1}")
+ 				;;
++			--channel-bandwidth=*)
++				CHANNEL_BANDWIDTH="$(cli_get_val "${1}")"
++				;;
+ 			--dfs=*)
+ 				DFS="$(cli_get_val "${1}")"
+ 
+@@ -121,6 +125,12 @@ hook_parse_cmdline() {
+ 		return ${EXIT_ERROR}
+ 	fi
+ 
++	# Channel bandwidth must match the mode
++	if isset CHANNEL_BANDWIDTH && ! wireless_channel_bandwidth_is_valid "${MODE}" "${CHANNEL_BANDWIDTH}"; then
++		error "Channel Bandwidth '${CHANNEL_BANDWIDTH}' is not supported"
++		return ${EXIT_ERROR}
++	fi
++
+ 	# Save address of phy do identify it again
+ 	PHY=$(phy_get ${PHY})
+ 	PHY=$(phy_get_address ${PHY})
+-- 
+2.39.2
+
diff --git a/network/patches/0019-wireless-ap-Forgot-to-add-configuration-variables-to.patch b/network/patches/0019-wireless-ap-Forgot-to-add-configuration-variables-to.patch
new file mode 100644
index 000000000..d6a92619a
--- /dev/null
+++ b/network/patches/0019-wireless-ap-Forgot-to-add-configuration-variables-to.patch
@@ -0,0 +1,29 @@ 
+From 40c95a6b261e8fdadca97f21ff7cd2a11af3bfb3 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 18 Mar 2019 21:21:37 +0100
+Subject: [PATCH 019/304] wireless-ap: Forgot to add configuration variables to
+ file
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/hooks/ports/wireless-ap | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/hooks/ports/wireless-ap b/src/hooks/ports/wireless-ap
+index 8b626bf..5e00014 100644
+--- a/src/hooks/ports/wireless-ap
++++ b/src/hooks/ports/wireless-ap
+@@ -23,8 +23,8 @@
+ 
+ HOOK_PORT_PATTERN="${PORT_PATTERN_ACCESSPOINT}"
+ 
+-HOOK_SETTINGS="ADDRESS BROADCAST_SSID CHANNEL MODE PHY SSID"
+-HOOK_SETTINGS="${HOOK_SETTINGS} ENCRYPTION KEY"
++HOOK_SETTINGS="ADDRESS BROADCAST_SSID CHANNEL CHANNEL_BANDWIDTH DFS MODE PHY"
++HOOK_SETTINGS="${HOOK_SETTINGS} ENCRYPTION KEY SSID"
+ 
+ ADDRESS=$(mac_generate)
+ BROADCAST_SSID=on
+-- 
+2.39.2
+
diff --git a/network/patches/0020-hostapd-Apply-channel-bandwidth-to-configuration.patch b/network/patches/0020-hostapd-Apply-channel-bandwidth-to-configuration.patch
new file mode 100644
index 000000000..cf9962ddb
--- /dev/null
+++ b/network/patches/0020-hostapd-Apply-channel-bandwidth-to-configuration.patch
@@ -0,0 +1,109 @@ 
+From f9e980d91e081613e5dcc7899c28fbdfc7a4c172 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 18 Mar 2019 21:24:02 +0100
+Subject: [PATCH 020/304] hostapd: Apply channel bandwidth to configuration
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.hostapd   | 26 ++++++++++++++++++++++++++
+ src/helpers/hostapd-config-helper |  1 +
+ src/hooks/ports/wireless-ap       |  2 +-
+ 3 files changed, 28 insertions(+), 1 deletion(-)
+
+diff --git a/src/functions/functions.hostapd b/src/functions/functions.hostapd
+index b855994..57f8c1e 100644
+--- a/src/functions/functions.hostapd
++++ b/src/functions/functions.hostapd
+@@ -35,6 +35,7 @@ hostapd_config_write() {
+ 
+ 	local broadcast_ssid
+ 	local channel
++	local channel_bandwidth
+ 	local country_code="$(wireless_get_reg_domain)"
+ 	local dfs="on"
+ 	local encryption
+@@ -51,6 +52,9 @@ hostapd_config_write() {
+ 			--channel=*)
+ 				channel=$(cli_get_val "${1}")
+ 				;;
++			--channel-bandwidth=*)
++				channel_bandwidth="$(cli_get_val "${1}")"
++				;;
+ 			--dfs=*)
+ 				dfs="$(cli_get_val "${1}")"
+ 				;;
+@@ -107,10 +111,17 @@ hostapd_config_write() {
+ 		assert isset key
+ 	fi
+ 
++	# Check channel bandwidth for validity
++	if isset channel_bandwidth && ! wireless_channel_bandwidth_is_valid "${mode}" "${channel_bandwidth}"; then
++		error "Invalid channel bandwidth for ${mode}: ${channel_bandwidth}"
++		return ${EXIT_ERROR}
++	fi
++
+ 	# 802.11ac/n flags
+ 	local ieee80211ac
+ 	local ieee80211n
+ 	local vht_caps
++	local vht_oper_chwidth="0"
+ 	local ht_caps
+ 
+ 	local hw_mode
+@@ -149,6 +160,18 @@ hostapd_config_write() {
+ 
+ 			# Fetch HT caps
+ 			ht_caps="$(wireless_get_ht_caps "${device}")"
++
++			case "${channel_bandwidth}" in
++				80)
++					vht_oper_chwidth="1"
++					;;
++				160)
++					vht_oper_chwidth="2"
++					;;
++				80+80)
++					vht_oper_chwidth="3"
++					;;
++			esac
+ 			;;
+ 	esac
+ 
+@@ -221,6 +244,9 @@ hostapd_config_write() {
+ 		# Enable HT caps
+ 		print "ht_capab=${ht_caps}"
+ 
++		# Wider Channels
++		print "vht_oper_chwidth=${vht_oper_chwidth}"
++
+ 		print
+ 	) >> ${file}
+ 
+diff --git a/src/helpers/hostapd-config-helper b/src/helpers/hostapd-config-helper
+index 30d3456..8af3097 100644
+--- a/src/helpers/hostapd-config-helper
++++ b/src/helpers/hostapd-config-helper
+@@ -40,6 +40,7 @@ case "${action}" in
+ 		hostapd_config_write ${port} ${config_file} \
+ 			--broadcast-ssid="${BROADCAST_SSID}" \
+ 			--channel="${CHANNEL}" \
++			--channel-bandwidth="${CHANNEL_BANDWIDTH}" \
+ 			--dfs="${DFS}" \
+ 			--encryption="${ENCRYPTION}" \
+ 			--key="${KEY}" \
+diff --git a/src/hooks/ports/wireless-ap b/src/hooks/ports/wireless-ap
+index 5e00014..983f0f9 100644
+--- a/src/hooks/ports/wireless-ap
++++ b/src/hooks/ports/wireless-ap
+@@ -127,7 +127,7 @@ hook_parse_cmdline() {
+ 
+ 	# Channel bandwidth must match the mode
+ 	if isset CHANNEL_BANDWIDTH && ! wireless_channel_bandwidth_is_valid "${MODE}" "${CHANNEL_BANDWIDTH}"; then
+-		error "Channel Bandwidth '${CHANNEL_BANDWIDTH}' is not supported"
++		error "Channel Bandwidth '${CHANNEL_BANDWIDTH}' is not supported for ${MODE}"
+ 		return ${EXIT_ERROR}
+ 	fi
+ 
+-- 
+2.39.2
+
diff --git a/network/patches/0021-wireless-ap-Enable-ACS-only-for-ath-devices.patch b/network/patches/0021-wireless-ap-Enable-ACS-only-for-ath-devices.patch
new file mode 100644
index 000000000..2bd7a17f7
--- /dev/null
+++ b/network/patches/0021-wireless-ap-Enable-ACS-only-for-ath-devices.patch
@@ -0,0 +1,117 @@ 
+From 1b4aa2ca01c5d0bd45213187e6a58b4cc0f57547 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Thu, 21 Mar 2019 20:22:56 +0100
+Subject: [PATCH 021/304] wireless-ap: Enable ACS only for ath* devices
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.hostapd  |  6 ++++++
+ src/functions/functions.phy      | 22 ++++++++++++++++++++++
+ src/functions/functions.wireless | 13 +++++++++++++
+ src/hooks/ports/wireless-ap      |  9 ++++++++-
+ 4 files changed, 49 insertions(+), 1 deletion(-)
+
+diff --git a/src/functions/functions.hostapd b/src/functions/functions.hostapd
+index 57f8c1e..9024ab2 100644
+--- a/src/functions/functions.hostapd
++++ b/src/functions/functions.hostapd
+@@ -111,6 +111,12 @@ hostapd_config_write() {
+ 		assert isset key
+ 	fi
+ 
++	# With channel 0, ACS must be supported
++	if [ ${channel} -eq 0 ] && ! wireless_supports_acs "${device}"; then
++		error "ACS requested, but not supported by ${device}"
++		return ${EXIT_ERROR}
++	fi
++
+ 	# Check channel bandwidth for validity
+ 	if isset channel_bandwidth && ! wireless_channel_bandwidth_is_valid "${mode}" "${channel_bandwidth}"; then
+ 		error "Invalid channel bandwidth for ${mode}: ${channel_bandwidth}"
+diff --git a/src/functions/functions.phy b/src/functions/functions.phy
+index 064ca7b..ee0f2a2 100644
+--- a/src/functions/functions.phy
++++ b/src/functions/functions.phy
+@@ -189,6 +189,28 @@ phy_supports_ht_capability() {
+ 	list_match "${capability}" $(__phy_list_ht_capabilities "${phy}")
+ }
+ 
++# Returns TRUE if the PHY supports ACS
++phy_supports_acs() {
++	local phy="${1}"
++	assert isset phy
++
++	local driver="$(phy_get_driver "${phy}")"
++	if ! isset driver; then
++		return ${EXIT_ERROR}
++	fi
++
++	# This is basically a whilelist of drivers which support this
++	# There is no better detection
++	case "${driver}" in
++		ath10k_*|ath9k|ath5k)
++			return ${EXIT_TRUE}
++			;;
++		*)
++			return ${EXIT_FALSE}
++			;;
++	esac
++}
++
+ # Returns TRUE if the PHY supports DFS
+ phy_supports_dfs() {
+ 	local phy="${1}"
+diff --git a/src/functions/functions.wireless b/src/functions/functions.wireless
+index 0437d27..9e72fe0 100644
+--- a/src/functions/functions.wireless
++++ b/src/functions/functions.wireless
+@@ -536,6 +536,19 @@ wireless_get_vht_caps() {
+ 	network-phy-list-vht-caps "${phy}"
+ }
+ 
++wireless_supports_acs() {
++	local device="${1}"
++	assert isset device
++
++	local phy="$(device_get_phy "${device}")"
++	if ! isset phy; then
++		log ERROR "Could not determine PHY for ${device}"
++		return ${EXIT_ERROR}
++	fi
++
++	phy_supports_acs "${phy}"
++}
++
+ wireless_supports_dfs() {
+ 	local device="${1}"
+ 	assert isset device
+diff --git a/src/hooks/ports/wireless-ap b/src/hooks/ports/wireless-ap
+index 983f0f9..0c42b61 100644
+--- a/src/hooks/ports/wireless-ap
++++ b/src/hooks/ports/wireless-ap
+@@ -28,7 +28,7 @@ HOOK_SETTINGS="${HOOK_SETTINGS} ENCRYPTION KEY SSID"
+ 
+ ADDRESS=$(mac_generate)
+ BROADCAST_SSID=on
+-CHANNEL=0
++CHANNEL=
+ CHANNEL_BANDWIDTH=
+ ENCRYPTION=""
+ KEY=""
+@@ -125,6 +125,13 @@ hook_parse_cmdline() {
+ 		return ${EXIT_ERROR}
+ 	fi
+ 
++	# Automatically enable ACS if no channel is set and ACS is available
++	if ! isset CHANNEL && phy_supports_acs "${PHY}"; then
++		CHANNEL="0"
++
++		log INFO "Automatic Channel Selection (ACS) enabled"
++	fi
++
+ 	# Channel bandwidth must match the mode
+ 	if isset CHANNEL_BANDWIDTH && ! wireless_channel_bandwidth_is_valid "${MODE}" "${CHANNEL_BANDWIDTH}"; then
+ 		error "Channel Bandwidth '${CHANNEL_BANDWIDTH}' is not supported for ${MODE}"
+-- 
+2.39.2
+
diff --git a/network/patches/0022-wireless-ap-Allow-setting-the-wireless-environment-i.patch b/network/patches/0022-wireless-ap-Allow-setting-the-wireless-environment-i.patch
new file mode 100644
index 000000000..57c2a889c
--- /dev/null
+++ b/network/patches/0022-wireless-ap-Allow-setting-the-wireless-environment-i.patch
@@ -0,0 +1,164 @@ 
+From 7842c2ce43d1f185e65bb9f2beead96376e2bd34 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Thu, 21 Mar 2019 22:14:43 +0100
+Subject: [PATCH 022/304] wireless-ap: Allow setting the wireless environment
+ (indoor/outdoor)
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.hostapd   | 26 +++++++++++++++++++++++++-
+ src/functions/functions.wireless  |  9 +++++++++
+ src/helpers/hostapd-config-helper |  1 +
+ src/hooks/ports/wireless-ap       | 14 +++++++++++++-
+ 4 files changed, 48 insertions(+), 2 deletions(-)
+
+diff --git a/src/functions/functions.hostapd b/src/functions/functions.hostapd
+index 9024ab2..94b06db 100644
+--- a/src/functions/functions.hostapd
++++ b/src/functions/functions.hostapd
+@@ -39,6 +39,7 @@ hostapd_config_write() {
+ 	local country_code="$(wireless_get_reg_domain)"
+ 	local dfs="on"
+ 	local encryption
++	local environment="${WIRELESS_DEFAULT_ENVIRONMENT}"
+ 	local key
+ 	local mode
+ 	local ssid
+@@ -61,6 +62,9 @@ hostapd_config_write() {
+ 			--encryption=*)
+ 				encryption=$(cli_get_val "${1}")
+ 				;;
++			--environment=*)
++				environment="$(cli_get_val "${1}")"
++				;;
+ 			--key=*)
+ 				key=$(cli_get_val "${1}")
+ 				;;
+@@ -111,6 +115,12 @@ hostapd_config_write() {
+ 		assert isset key
+ 	fi
+ 
++	# Check wireless environment
++	if ! wireless_environment_is_valid "${environment}"; then
++		error "Invalid wireless environment: ${environment}"
++		return ${EXIT_ERROR}
++	fi
++
+ 	# With channel 0, ACS must be supported
+ 	if [ ${channel} -eq 0 ] && ! wireless_supports_acs "${device}"; then
+ 		error "ACS requested, but not supported by ${device}"
+@@ -208,6 +218,21 @@ hostapd_config_write() {
+ 
+ 		# Advertise country code and maximum transmission power
+ 		print "ieee80211d=1"
++		print "country_code=${country_code}"
++
++		# Wireless Environment
++		case "${environment}" in
++			indoor)
++				print "country3=0x49"
++				       country3
++				;;
++			outdoor)
++				print "country3=0x4f"
++				;;
++			indoor+outdoor)
++				print "country3=0x20"
++				;;
++		esac
+ 
+ 		# Enable Radar Detection
+ 		if enabled dfs && wireless_supports_dfs "${device}"; then
+@@ -230,7 +255,6 @@ hostapd_config_write() {
+ 		fi
+ 
+ 		print "channel=${channel}"
+-		print "country_code=${country_code}"
+ 		print "ignore_broadcast_ssid=${ignore_broadcast_ssid}"
+ 
+ 		if contains_spaces "${ssid}"; then
+diff --git a/src/functions/functions.wireless b/src/functions/functions.wireless
+index 9e72fe0..12204c0 100644
+--- a/src/functions/functions.wireless
++++ b/src/functions/functions.wireless
+@@ -37,6 +37,9 @@ declare -A WIRELESS_CHANNEL_BANDWIDTHS=(
+ 	["802.11g"]="20 40"
+ )
+ 
++WIRELESS_ENVIRONMENTS=( "indoor+outdoor" "indoor" "outdoor" )
++WIRELESS_DEFAULT_ENVIRONMENT="${WIRELESS_ENVIRONMENTS[0]}"
++
+ cli_wireless() {
+ 	local action=${1}
+ 	shift 1
+@@ -561,3 +564,9 @@ wireless_supports_dfs() {
+ 
+ 	phy_supports_dfs "${phy}"
+ }
++
++wireless_environment_is_valid() {
++	local environment="${1}"
++
++	list_match "${environment}" "${WIRELESS_ENVIRONMENTS[@]}"
++}
+diff --git a/src/helpers/hostapd-config-helper b/src/helpers/hostapd-config-helper
+index 8af3097..d3292c3 100644
+--- a/src/helpers/hostapd-config-helper
++++ b/src/helpers/hostapd-config-helper
+@@ -43,6 +43,7 @@ case "${action}" in
+ 			--channel-bandwidth="${CHANNEL_BANDWIDTH}" \
+ 			--dfs="${DFS}" \
+ 			--encryption="${ENCRYPTION}" \
++			--environment="${ENVIRONMENT}" \
+ 			--key="${KEY}" \
+ 			--mode="${MODE}" \
+ 			--ssid="${SSID}" \
+diff --git a/src/hooks/ports/wireless-ap b/src/hooks/ports/wireless-ap
+index 0c42b61..6db39b8 100644
+--- a/src/hooks/ports/wireless-ap
++++ b/src/hooks/ports/wireless-ap
+@@ -24,7 +24,7 @@
+ HOOK_PORT_PATTERN="${PORT_PATTERN_ACCESSPOINT}"
+ 
+ HOOK_SETTINGS="ADDRESS BROADCAST_SSID CHANNEL CHANNEL_BANDWIDTH DFS MODE PHY"
+-HOOK_SETTINGS="${HOOK_SETTINGS} ENCRYPTION KEY SSID"
++HOOK_SETTINGS="${HOOK_SETTINGS} ENCRYPTION ENVIRONMENT KEY SSID"
+ 
+ ADDRESS=$(mac_generate)
+ BROADCAST_SSID=on
+@@ -37,6 +37,8 @@ SSID=
+ # Perform radar detection by default when possible
+ DFS="on"
+ 
++ENVIRONMENT="${WIRELESS_DEFAULT_ENVIRONMENT}"
++
+ hook_check_settings() {
+ 	assert isset ADDRESS
+ 	assert ismac ADDRESS
+@@ -57,6 +59,8 @@ hook_check_settings() {
+ 		assert [ ${#KEY} -ge 8 ]
+ 		assert [ ${#KEY} -le 63 ]
+ 	fi
++
++	assert wireless_environment_is_valid "${ENVIRONMENT}"
+ }
+ 
+ hook_parse_cmdline() {
+@@ -86,6 +90,14 @@ hook_parse_cmdline() {
+ 			--encryption=*)
+ 				ENCRYPTION=$(cli_get_val "${1}")
+ 				;;
++			--environment=*)
++				ENVIRONMENT="$(cli_get_val "${1}")"
++
++				if ! wireless_environment_is_valid "${ENVIRONMENT}"; then
++					error "Invalid wireless environment: ${ENVIRONMENT}"
++					return ${EXIT_ERROR}
++				fi
++				;;
+ 			--key=*)
+ 				KEY=$(cli_get_val "${1}")
+ 				;;
+-- 
+2.39.2
+
diff --git a/network/patches/0023-hostapd-Remove-now-useless-comment.patch b/network/patches/0023-hostapd-Remove-now-useless-comment.patch
new file mode 100644
index 000000000..0e224a2c9
--- /dev/null
+++ b/network/patches/0023-hostapd-Remove-now-useless-comment.patch
@@ -0,0 +1,26 @@ 
+From 09f00f0df436a3280b93b7570c6b9ae3152cf21e Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Fri, 22 Mar 2019 11:40:32 +0100
+Subject: [PATCH 023/304] hostapd: Remove now useless comment
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.hostapd | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/src/functions/functions.hostapd b/src/functions/functions.hostapd
+index 94b06db..eb177fe 100644
+--- a/src/functions/functions.hostapd
++++ b/src/functions/functions.hostapd
+@@ -214,8 +214,6 @@ hostapd_config_write() {
+ 	fi
+ 
+ 	(
+-		print "# Default settings"
+-
+ 		# Advertise country code and maximum transmission power
+ 		print "ieee80211d=1"
+ 		print "country_code=${country_code}"
+-- 
+2.39.2
+
diff --git a/network/patches/0024-hostapd-Always-enable-Transmit-Power-Control.patch b/network/patches/0024-hostapd-Always-enable-Transmit-Power-Control.patch
new file mode 100644
index 000000000..bac1030a2
--- /dev/null
+++ b/network/patches/0024-hostapd-Always-enable-Transmit-Power-Control.patch
@@ -0,0 +1,30 @@ 
+From 9602617288e200c0935d5888746f58c23b2f7af7 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Fri, 22 Mar 2019 11:45:03 +0100
+Subject: [PATCH 024/304] hostapd: Always enable Transmit Power Control
+
+Also advertise this to clients
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.hostapd | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/functions/functions.hostapd b/src/functions/functions.hostapd
+index eb177fe..dd52e56 100644
+--- a/src/functions/functions.hostapd
++++ b/src/functions/functions.hostapd
+@@ -232,6 +232,10 @@ hostapd_config_write() {
+ 				;;
+ 		esac
+ 
++		# Always advertise TPC
++		print "local_pwr_constraint=3"
++		print "spectrum_mgmt_required=1"
++
+ 		# Enable Radar Detection
+ 		if enabled dfs && wireless_supports_dfs "${device}"; then
+ 			print "ieee80211h=1"
+-- 
+2.39.2
+
diff --git a/network/patches/0025-hostapd-Set-default-WMM-settings.patch b/network/patches/0025-hostapd-Set-default-WMM-settings.patch
new file mode 100644
index 000000000..7e8e2dab1
--- /dev/null
+++ b/network/patches/0025-hostapd-Set-default-WMM-settings.patch
@@ -0,0 +1,72 @@ 
+From fcdbed86e00c02550682c110d768ff9a557ba8d7 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Fri, 22 Mar 2019 12:02:25 +0100
+Subject: [PATCH 025/304] hostapd: Set default WMM settings
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.hostapd | 47 ++++++++++++++++++++++++++++++++-
+ 1 file changed, 46 insertions(+), 1 deletion(-)
+
+diff --git a/src/functions/functions.hostapd b/src/functions/functions.hostapd
+index dd52e56..911a141 100644
+--- a/src/functions/functions.hostapd
++++ b/src/functions/functions.hostapd
+@@ -265,8 +265,53 @@ hostapd_config_write() {
+ 			print "ssid=${ssid}"
+ 		fi
+ 
+-		# WMM
++		# WMM & WMM-PS Unscheduled Automatic Power Save Delivery
+ 		print "wmm_enabled=${wmm}"
++		print "uapsd_advertisement_enabled=1"
++
++		# Low Priority / AC_BK = Background
++		print "wmm_ac_bk_cwmin=4"
++		print "wmm_ac_bk_cwmax=10"
++		print "wmm_ac_bk_aifs=7"
++		print "wmm_ac_bk_txop_limit=0"
++		print "wmm_ac_bk_acm=0"
++		print "tx_queue_data3_aifs=7"
++		print "tx_queue_data3_cwmin=15"
++		print "tx_queue_data3_cwmax=1023"
++		print "tx_queue_data3_burst=0"
++
++		# Normal Priority / AC_BE = Best Effort
++		print "wmm_ac_be_aifs=3"
++		print "wmm_ac_be_cwmin=4"
++		print "wmm_ac_be_cwmax=10"
++		print "wmm_ac_be_txop_limit=0"
++		print "wmm_ac_be_acm=0"
++		print "tx_queue_data2_aifs=3"
++		print "tx_queue_data2_cwmin=15"
++		print "tx_queue_data2_cwmax=63"
++		print "tx_queue_data2_burst=0"
++
++		# High Priority / AC_VI = Video
++		print "wmm_ac_vi_aifs=2"
++		print "wmm_ac_vi_cwmin=3"
++		print "wmm_ac_vi_cwmax=4"
++		print "wmm_ac_vi_txop_limit=94"
++		print "wmm_ac_vi_acm=0"
++		print "tx_queue_data1_aifs=1"
++		print "tx_queue_data1_cwmin=7"
++		print "tx_queue_data1_cwmax=15"
++		print "tx_queue_data1_burst=3.0"
++
++		# Highest Priority / AC_VO = Voice
++		print "wmm_ac_vo_aifs=2"
++		print "wmm_ac_vo_cwmin=2"
++		print "wmm_ac_vo_cwmax=3"
++		print "wmm_ac_vo_txop_limit=47"
++		print "wmm_ac_vo_acm=0"
++		print "tx_queue_data0_aifs=1"
++		print "tx_queue_data0_cwmin=3"
++		print "tx_queue_data0_cwmax=7"
++		print "tx_queue_data0_burst=1.5"
+ 
+ 		# Enable VHT caps
+ 		if isset vht_caps; then
+-- 
+2.39.2
+
diff --git a/network/patches/0026-hostapd-Kick-stations-that-are-too-far-away.patch b/network/patches/0026-hostapd-Kick-stations-that-are-too-far-away.patch
new file mode 100644
index 000000000..09f16b114
--- /dev/null
+++ b/network/patches/0026-hostapd-Kick-stations-that-are-too-far-away.patch
@@ -0,0 +1,27 @@ 
+From 4d4bca7eec3d036e1cbed28fc823d06d08008d78 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Fri, 22 Mar 2019 12:02:46 +0100
+Subject: [PATCH 026/304] hostapd: Kick stations that are too far away
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.hostapd | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/functions/functions.hostapd b/src/functions/functions.hostapd
+index 911a141..8b281cc 100644
+--- a/src/functions/functions.hostapd
++++ b/src/functions/functions.hostapd
+@@ -265,6 +265,9 @@ hostapd_config_write() {
+ 			print "ssid=${ssid}"
+ 		fi
+ 
++		# Kick stations that are too far away
++		print "disassoc_low_ack=1"
++
+ 		# WMM & WMM-PS Unscheduled Automatic Power Save Delivery
+ 		print "wmm_enabled=${wmm}"
+ 		print "uapsd_advertisement_enabled=1"
+-- 
+2.39.2
+
diff --git a/network/patches/0027-hostapd-Always-qoute-SSID.patch b/network/patches/0027-hostapd-Always-qoute-SSID.patch
new file mode 100644
index 000000000..9e65758fa
--- /dev/null
+++ b/network/patches/0027-hostapd-Always-qoute-SSID.patch
@@ -0,0 +1,34 @@ 
+From 4873f3299807fb0fde7c7f71736dd9318c708ca1 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Fri, 22 Mar 2019 12:08:08 +0100
+Subject: [PATCH 027/304] hostapd: Always qoute SSID
+
+hostapd has a new parameter that always allows us to set
+the SSID as a quoted UTF8 string
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.hostapd | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/src/functions/functions.hostapd b/src/functions/functions.hostapd
+index 8b281cc..245b4cf 100644
+--- a/src/functions/functions.hostapd
++++ b/src/functions/functions.hostapd
+@@ -259,11 +259,8 @@ hostapd_config_write() {
+ 		print "channel=${channel}"
+ 		print "ignore_broadcast_ssid=${ignore_broadcast_ssid}"
+ 
+-		if contains_spaces "${ssid}"; then
+-			print "ssid=\"${ssid}\""
+-		else
+-			print "ssid=${ssid}"
+-		fi
++		print "ssid2=\"${ssid}\""
++		print "utf8_ssid=1"
+ 
+ 		# Kick stations that are too far away
+ 		print "disassoc_low_ack=1"
+-- 
+2.39.2
+
diff --git a/network/patches/0028-wireless-ap-Allow-to-enable-disable-802.11w-Manageme.patch b/network/patches/0028-wireless-ap-Allow-to-enable-disable-802.11w-Manageme.patch
new file mode 100644
index 000000000..dc0872607
--- /dev/null
+++ b/network/patches/0028-wireless-ap-Allow-to-enable-disable-802.11w-Manageme.patch
@@ -0,0 +1,130 @@ 
+From 34ca39360410ab03c7909494e6291bbb65622e3d Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Fri, 22 Mar 2019 12:27:38 +0100
+Subject: [PATCH 028/304] wireless-ap: Allow to enable/disable 802.11w
+ Management Frame Protection
+
+This is disabled by default, because loads of stations have issues
+associating with an AP that has 802.11w enabled.
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.hostapd   | 17 +++++++++++++++++
+ src/helpers/hostapd-config-helper |  1 +
+ src/hooks/ports/wireless-ap       | 18 ++++++++++++++++++
+ 3 files changed, 36 insertions(+)
+
+diff --git a/src/functions/functions.hostapd b/src/functions/functions.hostapd
+index 245b4cf..bf0c5fc 100644
+--- a/src/functions/functions.hostapd
++++ b/src/functions/functions.hostapd
+@@ -41,6 +41,7 @@ hostapd_config_write() {
+ 	local encryption
+ 	local environment="${WIRELESS_DEFAULT_ENVIRONMENT}"
+ 	local key
++	local mfp="off"
+ 	local mode
+ 	local ssid
+ 	local wmm="1"
+@@ -68,6 +69,9 @@ hostapd_config_write() {
+ 			--key=*)
+ 				key=$(cli_get_val "${1}")
+ 				;;
++			--mfp=*)
++				mfp="$(cli_get_val "${1}")"
++				;;
+ 			--mode=*)
+ 				mode=$(cli_get_val "${1}")
+ 
+@@ -133,6 +137,12 @@ hostapd_config_write() {
+ 		return ${EXIT_ERROR}
+ 	fi
+ 
++	# Management Frame Proection
++	if ! isbool mfp; then
++		error "Invalid value for --mfp: ${mfp}"
++		return ${EXIT_ERROR}
++	fi
++
+ 	# 802.11ac/n flags
+ 	local ieee80211ac
+ 	local ieee80211n
+@@ -325,6 +335,13 @@ hostapd_config_write() {
+ 		print "vht_oper_chwidth=${vht_oper_chwidth}"
+ 
+ 		print
++
++		# 802.11w - Management Frame Protection (MFP)
++		if enabled mfp; then
++			print "ieee80211w=2" # required
++		else
++			print "ieee80211w=0"
++		fi
+ 	) >> ${file}
+ 
+ 	# Control interface.
+diff --git a/src/helpers/hostapd-config-helper b/src/helpers/hostapd-config-helper
+index d3292c3..7af723d 100644
+--- a/src/helpers/hostapd-config-helper
++++ b/src/helpers/hostapd-config-helper
+@@ -45,6 +45,7 @@ case "${action}" in
+ 			--encryption="${ENCRYPTION}" \
+ 			--environment="${ENVIRONMENT}" \
+ 			--key="${KEY}" \
++			--mfp="${MFP}" \
+ 			--mode="${MODE}" \
+ 			--ssid="${SSID}" \
+ 		|| exit $?
+diff --git a/src/hooks/ports/wireless-ap b/src/hooks/ports/wireless-ap
+index 6db39b8..7073cbc 100644
+--- a/src/hooks/ports/wireless-ap
++++ b/src/hooks/ports/wireless-ap
+@@ -25,6 +25,7 @@ HOOK_PORT_PATTERN="${PORT_PATTERN_ACCESSPOINT}"
+ 
+ HOOK_SETTINGS="ADDRESS BROADCAST_SSID CHANNEL CHANNEL_BANDWIDTH DFS MODE PHY"
+ HOOK_SETTINGS="${HOOK_SETTINGS} ENCRYPTION ENVIRONMENT KEY SSID"
++HOOK_SETTINGS="${HOOK_SETTINGS} MFP"
+ 
+ ADDRESS=$(mac_generate)
+ BROADCAST_SSID=on
+@@ -37,6 +38,10 @@ SSID=
+ # Perform radar detection by default when possible
+ DFS="on"
+ 
++# 802.11w - Management Frame Protection
++# Disable by default because many clients cannot connect when enabled
++MFP="off"
++
+ ENVIRONMENT="${WIRELESS_DEFAULT_ENVIRONMENT}"
+ 
+ hook_check_settings() {
+@@ -46,6 +51,7 @@ hook_check_settings() {
+ 	assert isbool BROADCAST_SSID
+ 	assert isset CHANNEL
+ 	assert isbool DFS
++	assert isbool MFP
+ 	assert isset MODE
+ 	assert isoneof MODE ${HOSTAPD_SUPPORTED_MODES}
+ 	assert isset PHY
+@@ -104,6 +110,18 @@ hook_parse_cmdline() {
+ 			--mac=*)
+ 				ADDRESS=$(cli_get_val "${1}")
+ 				;;
++			--mfp=*)
++				MFP="$(cli_get_val "${1}")"
++
++				if enabled MFP; then
++					MFP="on"
++				elif disabled MFP; then
++					MFP="off"
++				else
++					error "Invalid value for --mfp: ${MFP}"
++					return ${EXIT_ERROR}
++				fi
++				;;
+ 			--mode=*)
+ 				MODE=$(cli_get_val "${1}")
+ 
+-- 
+2.39.2
+
diff --git a/network/patches/0029-network-Show-when-a-PHY-supports-ACS.patch b/network/patches/0029-network-Show-when-a-PHY-supports-ACS.patch
new file mode 100644
index 000000000..f18008404
--- /dev/null
+++ b/network/patches/0029-network-Show-when-a-PHY-supports-ACS.patch
@@ -0,0 +1,26 @@ 
+From 304b20a828e0987943ccda6f1c4321682195a67a Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Fri, 29 Mar 2019 18:46:25 +0100
+Subject: [PATCH 029/304] network: Show when a PHY supports ACS
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/network | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/network b/src/network
+index de2e663..3535133 100644
+--- a/src/network
++++ b/src/network
+@@ -279,6 +279,8 @@ cli_device_status_phy() {
+ 
+ 	cli_headline 2 "Features"
+ 
++	cli_print_fmt1 2 "Automatic Channel Selection" \
++		"$(phy_supports_acs "${phy}" && print "Supported" || print "Not Supported")"
+ 	cli_print_fmt1 2 "DFS" \
+ 		"$(phy_supports_dfs "${phy}" && print "Supported" || print "Not Supported")"
+ 
+-- 
+2.39.2
+
diff --git a/network/patches/0030-Move-cli_device_status_phy-to-functions.phy.patch b/network/patches/0030-Move-cli_device_status_phy-to-functions.phy.patch
new file mode 100644
index 000000000..eaf70d3fd
--- /dev/null
+++ b/network/patches/0030-Move-cli_device_status_phy-to-functions.phy.patch
@@ -0,0 +1,112 @@ 
+From 01648ba604f9d0c922193553cfcb36dae0bfddaf Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Fri, 29 Mar 2019 18:47:47 +0100
+Subject: [PATCH 030/304] Move cli_device_status_phy() to functions.phy
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.phy | 38 +++++++++++++++++++++++++++++++++++++
+ src/network                 | 38 -------------------------------------
+ 2 files changed, 38 insertions(+), 38 deletions(-)
+
+diff --git a/src/functions/functions.phy b/src/functions/functions.phy
+index ee0f2a2..120117c 100644
+--- a/src/functions/functions.phy
++++ b/src/functions/functions.phy
+@@ -21,6 +21,44 @@
+ 
+ PHY_DIR="/sys/class/ieee80211"
+ 
++cli_device_status_phy() {
++	local phy="${1}"
++	assert phy_exists "${phy}"
++
++	local address="$(phy_get_address "${phy}")"
++	cli_print_fmt1 1 "Address" "${address}"
++
++	# Show kernel module
++	local driver="$(phy_get_driver "${phy}")"
++	if isset driver; then
++		cli_print_fmt1 1 "Driver" "${driver}"
++	fi
++
++	cli_space
++
++	local devices="$(phy_get_devices "${phy}")"
++	if isset devices; then
++		cli_headline 2 "Soft interfaces"
++
++		local device
++		for device in ${devices}; do
++			cli_print 2 "* %s" "${device}"
++		done
++		cli_space
++	fi
++
++	cli_headline 2 "Features"
++
++	cli_print_fmt1 2 "Automatic Channel Selection" \
++		"$(phy_supports_acs "${phy}" && print "Supported" || print "Not Supported")"
++	cli_print_fmt1 2 "DFS" \
++		"$(phy_supports_dfs "${phy}" && print "Supported" || print "Not Supported")"
++
++	cli_space
++
++	return ${EXIT_OK}
++}
++
+ phy_dir() {
+ 	local phy=${1}
+ 
+diff --git a/src/network b/src/network
+index 3535133..300ba94 100644
+--- a/src/network
++++ b/src/network
+@@ -251,44 +251,6 @@ cli_device_status_serial() {
+ 	fi
+ }
+ 
+-cli_device_status_phy() {
+-	local phy="${1}"
+-	assert phy_exists "${phy}"
+-
+-	local address="$(phy_get_address "${phy}")"
+-	cli_print_fmt1 1 "Address" "${address}"
+-
+-	# Show kernel module
+-	local driver="$(phy_get_driver "${phy}")"
+-	if isset driver; then
+-		cli_print_fmt1 1 "Driver" "${driver}"
+-	fi
+-
+-	cli_space
+-
+-	local devices="$(phy_get_devices "${phy}")"
+-	if isset devices; then
+-		cli_headline 2 "Soft interfaces"
+-
+-		local device
+-		for device in ${devices}; do
+-			cli_print 2 "* %s" "${device}"
+-		done
+-		cli_space
+-	fi
+-
+-	cli_headline 2 "Features"
+-
+-	cli_print_fmt1 2 "Automatic Channel Selection" \
+-		"$(phy_supports_acs "${phy}" && print "Supported" || print "Not Supported")"
+-	cli_print_fmt1 2 "DFS" \
+-		"$(phy_supports_dfs "${phy}" && print "Supported" || print "Not Supported")"
+-
+-	cli_space
+-
+-	return ${EXIT_OK}
+-}
+-
+ cli_device_discover() {
+ 	local device=${1}
+ 	shift
+-- 
+2.39.2
+
diff --git a/network/patches/0031-hostapd-Dump-config-file-in-debug-mode.patch b/network/patches/0031-hostapd-Dump-config-file-in-debug-mode.patch
new file mode 100644
index 000000000..26e05b097
--- /dev/null
+++ b/network/patches/0031-hostapd-Dump-config-file-in-debug-mode.patch
@@ -0,0 +1,52 @@ 
+From 7c91c167d10cbe3d390f0dc8c426eed0abf243b4 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sat, 30 Mar 2019 11:26:38 +0100
+Subject: [PATCH 031/304] hostapd: Dump config file in debug mode
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.hostapd |  3 +++
+ src/functions/functions.util    | 13 +++++++++++++
+ 2 files changed, 16 insertions(+)
+
+diff --git a/src/functions/functions.hostapd b/src/functions/functions.hostapd
+index bf0c5fc..737bd1a 100644
+--- a/src/functions/functions.hostapd
++++ b/src/functions/functions.hostapd
+@@ -378,6 +378,9 @@ hostapd_config_write() {
+ 		) >> ${file}
+ 	fi
+ 
++	# Log configuration file
++	file_to_log DEBUG "${file}"
++
+ 	return ${EXIT_OK}
+ }
+ 
+diff --git a/src/functions/functions.util b/src/functions/functions.util
+index b767423..4c1dbb4 100644
+--- a/src/functions/functions.util
++++ b/src/functions/functions.util
+@@ -248,6 +248,19 @@ file_get_age() {
+ 	return ${EXIT_ERROR}
+ }
+ 
++file_to_log() {
++	local level="${1}"
++	assert isset level
++
++	local file="${2}"
++	assert file_exists "${file}"
++
++	local line
++	while read line; do
++		log "${level}" "${line}"
++	done < "${file}"
++}
++
+ make_directory() {
+ 	local path="${1}"
+ 
+-- 
+2.39.2
+
diff --git a/network/patches/0032-wireless-ap-Automatically-enable-all-supported-ciphe.patch b/network/patches/0032-wireless-ap-Automatically-enable-all-supported-ciphe.patch
new file mode 100644
index 000000000..7277180b2
--- /dev/null
+++ b/network/patches/0032-wireless-ap-Automatically-enable-all-supported-ciphe.patch
@@ -0,0 +1,519 @@ 
+From 2e4e3c88ba2543e5bf4bf3f92977990c281a00bb Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sat, 30 Mar 2019 11:27:50 +0100
+Subject: [PATCH 032/304] wireless-ap: Automatically enable all supported
+ ciphers
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ Makefile.am                          |   7 ++
+ src/functions/functions.hostapd      |  65 +++++++++++-
+ src/functions/functions.phy          |  17 +++
+ src/libnetwork/libnetwork.sym        |  37 ++++---
+ src/libnetwork/network/phy.h         |  22 ++++
+ src/libnetwork/phy.c                 | 149 +++++++++++++++++++++++++++
+ src/utils/.gitignore                 |   1 +
+ src/utils/network-phy-list-ciphers.c |  61 +++++++++++
+ 8 files changed, 340 insertions(+), 19 deletions(-)
+ create mode 100644 src/utils/network-phy-list-ciphers.c
+
+diff --git a/Makefile.am b/Makefile.am
+index 0139f95..1b5e7e9 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -301,6 +301,7 @@ EXTRA_DIST += \
+ 
+ util_PROGRAMS = \
+ 	src/utils/network-phy-list-channels \
++	src/utils/network-phy-list-ciphers \
+ 	src/utils/network-phy-list-ht-caps \
+ 	src/utils/network-phy-list-vht-caps
+ 
+@@ -310,6 +311,12 @@ src_utils_network_phy_list_channels_SOURCES = \
+ src_utils_network_phy_list_channels_LDADD = \
+ 	src/libnetwork.la
+ 
++src_utils_network_phy_list_ciphers_SOURCES = \
++	src/utils/network-phy-list-ciphers.c
++
++src_utils_network_phy_list_ciphers_LDADD = \
++	src/libnetwork.la
++
+ src_utils_network_phy_list_ht_caps_SOURCES = \
+ 	src/utils/network-phy-list-ht-caps.c
+ 
+diff --git a/src/functions/functions.hostapd b/src/functions/functions.hostapd
+index 737bd1a..6111457 100644
+--- a/src/functions/functions.hostapd
++++ b/src/functions/functions.hostapd
+@@ -23,6 +23,19 @@ HOSTAPD_CONTROL_INTERFACE_DIR="/run/hostapd/ctrl"
+ 
+ HOSTAPD_SUPPORTED_MODES="802.11a 802.11a/n 802.11ac 802.11g 802.11g/n"
+ 
++HOSTAPD_SUPPORTED_PAIRWISE_CIPHERS=(
++	"GCMP-256"	# Galois/counter mode protocol with 256 bit key
++	"CCMP-256"	# AES in Counter mode with CBC-MAC with 256 bit key
++	"GCMP-128"	# Galois/counter mode protocol with 128 bit key
++	"CCMP-128"	# AES in Counter mode with CBC-MAC with 128 bit key
++)
++
++# This must be supported by all stations on the network and therefore
++# can effectively only be CCMP
++HOSTAPD_SUPPORTED_GROUP_CIPHERS=(
++	"CCMP-128"
++)
++
+ hostapd_config_write() {
+ 	local device=${1}
+ 	assert isset device
+@@ -33,6 +46,16 @@ hostapd_config_write() {
+ 	# Shift the device and file argument.
+ 	shift 2
+ 
++	# Device must exist
++	if ! device_exists "${device}"; then
++		error "Cannot write hostapd configuration for non-existant device: ${device}"
++		return ${EXIT_ERROR}
++	fi
++
++	# Get the phy for device
++	local phy="$(device_get_phy "${device}")"
++	assert isset phy
++
+ 	local broadcast_ssid
+ 	local channel
+ 	local channel_bandwidth
+@@ -201,6 +224,25 @@ hostapd_config_write() {
+ 			;;
+ 	esac
+ 
++	# Cryptography
++	local cipher
++
++	# Get all supported pairwise ciphers
++	local pairwise_ciphers=()
++	for cipher in ${HOSTAPD_SUPPORTED_PAIRWISE_CIPHERS[*]}; do
++		if phy_supports_cipher "${phy}" "${cipher}"; then
++			pairwise_ciphers+=( "$(hostapd_cipher_name "${cipher}")" )
++		fi
++	done
++
++	# Get all supported group ciphers
++	local group_ciphers=()
++	for cipher in ${HOSTAPD_SUPPORTED_GROUP_CIPHERS[*]}; do
++		if phy_supports_cipher "${phy}" "${cipher}"; then
++			group_ciphers+=( "$(hostapd_cipher_name "${cipher}")" )
++		fi
++	done
++
+ 	# Create configuration directory.
+ 	local config_dir=$(dirname ${file})
+ 	mkdir -p ${HOSTAPD_CONTROL_INTERFACE_DIR} ${config_dir} 2>/dev/null
+@@ -372,8 +414,9 @@ hostapd_config_write() {
+ 			print "wpa=${encryption_mode}"
+ 			print "wpa_passphrase=${key}"
+ 			print "wpa_key_mgmt=WPA-PSK"
+-			print "wpa_pairwise=TKIP"
+-			print "rsn_pairwise=CCMP"
++			print "wpa_pairwise=${pairwise_ciphers[*]}"
++			print "rsn_pairwise=${pairwise_ciphers[*]}"
++			print "group_cipher=${group_ciphers[*]}"
+ 			print
+ 		) >> ${file}
+ 	fi
+@@ -407,3 +450,21 @@ hostapd_stop() {
+ 
+ 	service_stop "hostapd@${device}.service"
+ }
++
++hostapd_cipher_name() {
++	local cipher="${1}"
++
++	case "${cipher}" in
++		CCMP-128)
++			print "CCMP"
++			;;
++
++		GCMP-128)
++			print "GCMP"
++			;;
++
++		*)
++			print "${cipher}"
++			;;
++	esac
++}
+diff --git a/src/functions/functions.phy b/src/functions/functions.phy
+index 120117c..c06389c 100644
+--- a/src/functions/functions.phy
++++ b/src/functions/functions.phy
+@@ -208,6 +208,23 @@ phy_supports_channel() {
+ 	return ${EXIT_FALSE}
+ }
+ 
++phy_list_ciphers() {
++	local phy="${1}"
++	assert isset phy
++
++	network-phy-list-ciphers "${phy}"
++}
++
++phy_supports_cipher() {
++	local phy="${1}"
++	assert isset phy
++
++	local cipher="${2}"
++	assert isset cipher
++
++	list_match "${cipher}" $(phy_list_ciphers "${phy}")
++}
++
+ __phy_list_ht_capabilities() {
+ 	local phy="${1}"
+ 	assert isset phy
+diff --git a/src/libnetwork/libnetwork.sym b/src/libnetwork/libnetwork.sym
+index 593c4a2..034d43f 100644
+--- a/src/libnetwork/libnetwork.sym
++++ b/src/libnetwork/libnetwork.sym
+@@ -1,21 +1,24 @@
+ LIBNETWORK_0 {
+ global:
+-        network_interface_get_name;
+-        network_interface_new;
+-        network_interface_ref;
+-        network_interface_unref;
+-        network_new;
+-        network_phy_has_ht_capability;
+-        network_phy_has_vht_capability;
+-        network_phy_list_channels;
+-        network_phy_list_ht_capabilities;
+-        network_phy_list_vht_capabilities;
+-        network_phy_new;
+-        network_phy_ref;
+-        network_phy_unref;
+-        network_ref;
+-        network_unref;
+-        network_version;
++	network_interface_get_name;
++	network_interface_new;
++	network_interface_ref;
++	network_interface_unref;
++	network_new;
++	network_phy_get_cipher_string;
++	network_phy_has_ht_capability;
++	network_phy_has_vht_capability;
++	network_phy_list_channels;
++	network_phy_list_ciphers;
++	network_phy_list_ht_capabilities;
++	network_phy_list_vht_capabilities;
++	network_phy_supports_cipher;
++	network_phy_new;
++	network_phy_ref;
++	network_phy_unref;
++	network_ref;
++	network_unref;
++	network_version;
+ local:
+-        *;
++	*;
+ };
+diff --git a/src/libnetwork/network/phy.h b/src/libnetwork/network/phy.h
+index 9059680..bc6dafb 100644
+--- a/src/libnetwork/network/phy.h
++++ b/src/libnetwork/network/phy.h
+@@ -30,6 +30,25 @@ int network_phy_new(struct network_ctx*, struct network_phy** phy, const char* n
+ struct network_phy* network_phy_ref(struct network_phy* phy);
+ struct network_phy* network_phy_unref(struct network_phy* phy);
+ 
++enum network_phy_ciphers {
++	NETWORK_PHY_CIPHER_WEP40           = (1 <<  0),
++	NETWORK_PHY_CIPHER_TKIP            = (1 <<  1),
++	NETWORK_PHY_CIPHER_CCMP128         = (1 <<  2),
++	NETWORK_PHY_CIPHER_WEP104          = (1 <<  3),
++	NETWORK_PHY_CIPHER_CMAC128         = (1 <<  4),
++	NETWORK_PHY_CIPHER_GCMP128         = (1 <<  5),
++	NETWORK_PHY_CIPHER_GCMP256         = (1 <<  6),
++	NETWORK_PHY_CIPHER_CCMP256         = (1 <<  7),
++	NETWORK_PHY_CIPHER_GMAC128         = (1 <<  8),
++	NETWORK_PHY_CIPHER_GMAC256         = (1 <<  9),
++	NETWORK_PHY_CIPHER_CMAC256         = (1 << 10),
++	NETWORK_PHY_CIPHER_WPISMS4         = (1 << 11),
++};
++
++const char* network_phy_get_cipher_string(const enum network_phy_ciphers cipher);
++int network_phy_supports_cipher(struct network_phy* phy, const enum network_phy_ciphers cipher);
++char* network_phy_list_ciphers(struct network_phy* phy);
++
+ enum network_phy_ht_caps {
+ 	NETWORK_PHY_HT_CAP_RX_LDPC         = (1 <<  0),
+ 	NETWORK_PHY_HT_CAP_HT40            = (1 <<  1),
+@@ -81,6 +100,9 @@ char* network_phy_list_ht_capabilities(struct network_phy* phy);
+ struct nl_msg* network_phy_make_netlink_message(struct network_phy* phy,
+ 	enum nl80211_commands cmd, int flags);
+ 
++#define foreach_cipher(cipher) \
++	for(enum network_phy_ciphers cipher = NETWORK_PHY_CIPHER_WEP40; cipher <= NETWORK_PHY_CIPHER_WPISMS4; cipher <<= 1)
++
+ #define foreach_vht_cap(cap) \
+ 	for(int cap = NETWORK_PHY_VHT_CAP_VHT160; cap <= NETWORK_PHY_VHT_CAP_TX_ANTENNA_PATTERN; cap <<= 1)
+ 
+diff --git a/src/libnetwork/phy.c b/src/libnetwork/phy.c
+index 0bf9c81..e3f2aad 100644
+--- a/src/libnetwork/phy.c
++++ b/src/libnetwork/phy.c
+@@ -52,6 +52,7 @@ struct network_phy {
+ 
+ 	TAILQ_HEAD(head, network_phy_channel) channels;
+ 
++	enum network_phy_ciphers ciphers;
+ 	ssize_t max_mpdu_length;
+ 	unsigned int vht_caps;
+ 	unsigned int ht_caps;
+@@ -80,6 +81,81 @@ static int phy_get_index(const char* name) {
+ 	return atoi(index);
+ }
+ 
++static void phy_parse_ciphers(struct network_phy* phy, __u32* ciphers, int num) {
++	enum network_phy_ciphers cipher;
++
++	// Reset value
++	phy->ciphers = 0;
++
++	for (int i = 0; i < num; i++) {
++		switch (ciphers[i]) {
++			case 0x000fac01:
++				cipher = NETWORK_PHY_CIPHER_WEP40;
++				break;
++
++			case 0x000fac02:
++				cipher = NETWORK_PHY_CIPHER_TKIP;
++				break;
++
++			case 0x000fac04:
++				cipher = NETWORK_PHY_CIPHER_CCMP128;
++				break;
++
++			case 0x000fac05:
++				cipher = NETWORK_PHY_CIPHER_WEP104;
++				break;
++
++			case 0x000fac06:
++				cipher = NETWORK_PHY_CIPHER_CMAC128;
++				break;
++
++			case 0x000fac08:
++				cipher = NETWORK_PHY_CIPHER_GCMP128;
++				break;
++
++			case 0x000fac09:
++				cipher = NETWORK_PHY_CIPHER_GCMP256;
++				break;
++
++			/*
++				I have no idea what these are. My card reports them but
++				I could not find out anything about them.
++			*/
++			case 0x000fac0a:
++			case 0x000fac0b:
++			case 0x000fac0c:
++			case 0x000fac0d:
++				continue;
++
++			case 0x000fac10:
++				cipher = NETWORK_PHY_CIPHER_CCMP256;
++				break;
++
++			case 0x000fac11:
++				cipher = NETWORK_PHY_CIPHER_GMAC128;
++				break;
++
++			case 0x000fac12:
++				cipher = NETWORK_PHY_CIPHER_GMAC256;
++				break;
++
++			case 0x000fac13:
++				cipher = NETWORK_PHY_CIPHER_CMAC256;
++				break;
++
++			case 0x00147201:
++				cipher = NETWORK_PHY_CIPHER_WPISMS4;
++				break;
++
++			default:
++				ERROR(phy->ctx, "Unknown cipher found: %x\n", ciphers[i]);
++				continue;
++		}
++
++		phy->ciphers |= cipher;
++	}
++}
++
+ static void phy_parse_vht_capabilities(struct network_phy* phy, __u32 caps) {
+ 	// Max MPDU length
+ 	switch (caps & 0x3) {
+@@ -325,6 +401,13 @@ static int phy_parse_info(struct nl_msg* msg, void* data) {
+ 	nla_parse(attrs, NL80211_ATTR_MAX, genlmsg_attrdata(gnlh, 0),
+ 		genlmsg_attrlen(gnlh, 0), NULL);
+ 
++	// Ciphers
++	if (attrs[NL80211_ATTR_CIPHER_SUITES]) {
++		int num = nla_len(attrs[NL80211_ATTR_CIPHER_SUITES]) / sizeof(__u32);
++		__u32* ciphers = nla_data(attrs[NL80211_ATTR_CIPHER_SUITES]);
++		phy_parse_ciphers(phy, ciphers, num);
++	}
++
+ 	if (attrs[NL80211_ATTR_WIPHY_BANDS]) {
+ 		struct nlattr* nl_band;
+ 		int i;
+@@ -464,6 +547,72 @@ nla_put_failure:
+ 	return NULL;
+ }
+ 
++NETWORK_EXPORT const char* network_phy_get_cipher_string(const enum network_phy_ciphers cipher) {
++	switch (cipher) {
++		case NETWORK_PHY_CIPHER_WEP40:
++			return "WEP40";
++
++		case NETWORK_PHY_CIPHER_TKIP:
++			return "TKIP";
++
++		case NETWORK_PHY_CIPHER_CCMP128:
++			return "CCMP-128";
++
++		case NETWORK_PHY_CIPHER_WEP104:
++			return "WEP-104";
++
++		case NETWORK_PHY_CIPHER_CMAC128:
++			return "CMAC-128";
++
++		case NETWORK_PHY_CIPHER_GCMP128:
++			return "GCMP-128";
++
++		case NETWORK_PHY_CIPHER_GCMP256:
++			return "GCMP-256";
++
++		case NETWORK_PHY_CIPHER_CCMP256:
++			return "CCMP-256";
++
++		case NETWORK_PHY_CIPHER_GMAC128:
++			return "GMAC-128";
++
++		case NETWORK_PHY_CIPHER_GMAC256:
++			return "GMAC-256";
++
++		case NETWORK_PHY_CIPHER_CMAC256:
++			return "CMAC-256";
++
++		case NETWORK_PHY_CIPHER_WPISMS4:
++			return "WPI-SMS4";
++	}
++
++	return NULL;
++}
++
++NETWORK_EXPORT int network_phy_supports_cipher(struct network_phy* phy, const enum network_phy_ciphers cipher) {
++	return phy->ciphers & cipher;
++}
++
++NETWORK_EXPORT char* network_phy_list_ciphers(struct network_phy* phy) {
++	char* buffer = NULL;
++
++	foreach_cipher(cipher) {
++		if (network_phy_supports_cipher(phy, cipher)) {
++			const char* s = network_phy_get_cipher_string(cipher);
++
++			if (!s)
++				continue;
++
++			if (buffer)
++				asprintf(&buffer, "%s %s", buffer, s);
++			else
++				asprintf(&buffer, "%s", s);
++		}
++	}
++
++	return buffer;
++}
++
+ NETWORK_EXPORT int network_phy_has_vht_capability(struct network_phy* phy, const enum network_phy_vht_caps cap) {
+ 	return phy->vht_caps & cap;
+ }
+diff --git a/src/utils/.gitignore b/src/utils/.gitignore
+index 11cf3b6..df712dc 100644
+--- a/src/utils/.gitignore
++++ b/src/utils/.gitignore
+@@ -1,3 +1,4 @@
+ /network-phy-list-channels
++/network-phy-list-ciphers
+ /network-phy-list-ht-caps
+ /network-phy-list-vht-caps
+diff --git a/src/utils/network-phy-list-ciphers.c b/src/utils/network-phy-list-ciphers.c
+new file mode 100644
+index 0000000..0132c0c
+--- /dev/null
++++ b/src/utils/network-phy-list-ciphers.c
+@@ -0,0 +1,61 @@
++/*#############################################################################
++#                                                                             #
++# IPFire.org - A linux based firewall                                         #
++# Copyright (C) 2019 IPFire Network Development Team                          #
++#                                                                             #
++# This program is free software: you can redistribute it and/or modify        #
++# it under the terms of the GNU General Public License as published by        #
++# the Free Software Foundation, either version 3 of the License, or           #
++# (at your option) any later version.                                         #
++#                                                                             #
++# This program is distributed in the hope that it will be useful,             #
++# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
++# GNU General Public License for more details.                                #
++#                                                                             #
++# You should have received a copy of the GNU General Public License           #
++# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
++#                                                                             #
++#############################################################################*/
++
++#include <stdio.h>
++#include <stdlib.h>
++
++#include <network/libnetwork.h>
++#include <network/logging.h>
++#include <network/phy.h>
++
++int main(int argc, char** argv) {
++    struct network_ctx* ctx = NULL;
++    struct network_phy* phy = NULL;
++    int r;
++
++    if (argc < 2) {
++        fprintf(stderr, "No enough arguments\n");
++        r = 2;
++        goto END;
++    }
++
++    // Initialise context
++    r = network_new(&ctx);
++    if (r)
++        return r;
++
++    r = network_phy_new(ctx, &phy, argv[1]);
++    if (r) {
++        fprintf(stderr, "Could not find %s\n", argv[1]);
++        goto END;
++    }
++
++    // Print all supported ciphers
++    char* ciphers = network_phy_list_ciphers(phy);
++    if (ciphers && *ciphers) {
++        printf("%s\n", ciphers);
++        free(ciphers);
++    }
++
++END:
++    network_phy_unref(phy);
++    network_unref(ctx);
++    return r;
++}
+-- 
+2.39.2
+
diff --git a/network/patches/0033-hostapd-Enable-WPA-authentication-with-SHA256.patch b/network/patches/0033-hostapd-Enable-WPA-authentication-with-SHA256.patch
new file mode 100644
index 000000000..70a50a310
--- /dev/null
+++ b/network/patches/0033-hostapd-Enable-WPA-authentication-with-SHA256.patch
@@ -0,0 +1,26 @@ 
+From 27380e6e6343faa0b2c1a87234ecf21ecc6f0840 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sat, 30 Mar 2019 12:47:32 +0100
+Subject: [PATCH 033/304] hostapd: Enable WPA authentication with SHA256
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.hostapd | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/functions/functions.hostapd b/src/functions/functions.hostapd
+index 6111457..79fb4db 100644
+--- a/src/functions/functions.hostapd
++++ b/src/functions/functions.hostapd
+@@ -413,7 +413,7 @@ hostapd_config_write() {
+ 			print "# Encryption settings"
+ 			print "wpa=${encryption_mode}"
+ 			print "wpa_passphrase=${key}"
+-			print "wpa_key_mgmt=WPA-PSK"
++			print "wpa_key_mgmt=WPA-PSK-SHA256 WPA-PSK"
+ 			print "wpa_pairwise=${pairwise_ciphers[*]}"
+ 			print "rsn_pairwise=${pairwise_ciphers[*]}"
+ 			print "group_cipher=${group_ciphers[*]}"
+-- 
+2.39.2
+
diff --git a/network/patches/0034-hooks-Automatically-set-defaults-for-all-port-hooks.patch b/network/patches/0034-hooks-Automatically-set-defaults-for-all-port-hooks.patch
new file mode 100644
index 000000000..f2940d01a
--- /dev/null
+++ b/network/patches/0034-hooks-Automatically-set-defaults-for-all-port-hooks.patch
@@ -0,0 +1,98 @@ 
+From 4637109c42417e34c02631cd8391bccc7f2733cb Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sat, 30 Mar 2019 13:03:59 +0100
+Subject: [PATCH 034/304] hooks: Automatically set defaults for all port hooks
+
+Before, this was broken so that all configuration parameters
+had to be passed all the time.
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.hook |  5 ++---
+ src/header-port              |  4 ++++
+ src/hooks/ports/bonding      |  5 ++---
+ src/hooks/ports/wireless-ap  | 15 +++++----------
+ 4 files changed, 13 insertions(+), 16 deletions(-)
+
+diff --git a/src/functions/functions.hook b/src/functions/functions.hook
+index 2f3ced0..c0ebfcb 100644
+--- a/src/functions/functions.hook
++++ b/src/functions/functions.hook
+@@ -130,9 +130,8 @@ hook_set_defaults() {
+ 	for setting in ${HOOK_SETTINGS}; do
+ 		local default="DEFAULT_${setting}"
+ 
+-		if isset ${default}; then
+-			assign "${setting}" "${!default}"
+-		fi
++		# Sets the default or empty
++		assign "${setting}" "${!default}"
+ 	done
+ }
+ 
+diff --git a/src/header-port b/src/header-port
+index ce1c192..141228a 100644
+--- a/src/header-port
++++ b/src/header-port
+@@ -44,6 +44,10 @@ hook_hotplug_rename() {
+ 
+ hook_default_new() {
+ 	local ${HOOK_SETTINGS}
++
++	# Import all default variables
++	hook_set_defaults
++
+ 	if ! hook_parse_cmdline "$@"; then
+ 		return ${EXIT_ERROR}
+ 	fi
+diff --git a/src/hooks/ports/bonding b/src/hooks/ports/bonding
+index 40d849f..f0572c3 100644
+--- a/src/hooks/ports/bonding
++++ b/src/hooks/ports/bonding
+@@ -23,9 +23,8 @@
+ 
+ HOOK_SETTINGS="ADDRESS MIIMON MODE OFFLOADING SLAVES"
+ 
+-SLAVES=""
+-MIIMON=100
+-MODE="balance-rr"
++DEFAULT_MIIMON=100
++DEFAULT_MODE="balance-rr"
+ 
+ hook_check_settings() {
+ 	assert isset ADDRESS
+diff --git a/src/hooks/ports/wireless-ap b/src/hooks/ports/wireless-ap
+index 7073cbc..2bb4977 100644
+--- a/src/hooks/ports/wireless-ap
++++ b/src/hooks/ports/wireless-ap
+@@ -27,22 +27,17 @@ HOOK_SETTINGS="ADDRESS BROADCAST_SSID CHANNEL CHANNEL_BANDWIDTH DFS MODE PHY"
+ HOOK_SETTINGS="${HOOK_SETTINGS} ENCRYPTION ENVIRONMENT KEY SSID"
+ HOOK_SETTINGS="${HOOK_SETTINGS} MFP"
+ 
+-ADDRESS=$(mac_generate)
+-BROADCAST_SSID=on
+-CHANNEL=
+-CHANNEL_BANDWIDTH=
+-ENCRYPTION=""
+-KEY=""
+-SSID=
++# Broadcast SSID by default
++DEFAULT_BROADCAST_SSID="on"
+ 
+ # Perform radar detection by default when possible
+-DFS="on"
++DEFAULT_DFS="on"
+ 
+ # 802.11w - Management Frame Protection
+ # Disable by default because many clients cannot connect when enabled
+-MFP="off"
++DEFAULT_MFP="off"
+ 
+-ENVIRONMENT="${WIRELESS_DEFAULT_ENVIRONMENT}"
++DEFAULT_ENVIRONMENT="${WIRELESS_DEFAULT_ENVIRONMENT}"
+ 
+ hook_check_settings() {
+ 	assert isset ADDRESS
+-- 
+2.39.2
+
diff --git a/network/patches/0035-hooks-Import-zone-default-settings-too.patch b/network/patches/0035-hooks-Import-zone-default-settings-too.patch
new file mode 100644
index 000000000..c31e8e94d
--- /dev/null
+++ b/network/patches/0035-hooks-Import-zone-default-settings-too.patch
@@ -0,0 +1,176 @@ 
+From 53e764a73d5a04f653a4fda3c7f8810e8de13ed8 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sat, 30 Mar 2019 13:10:58 +0100
+Subject: [PATCH 035/304] hooks: Import zone default settings, too
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/header-zone           |  5 +++++
+ src/hooks/zones/bridge    | 11 ++---------
+ src/hooks/zones/ip-tunnel |  8 +-------
+ src/hooks/zones/modem     | 12 +-----------
+ src/hooks/zones/pppoe     | 20 ++------------------
+ 5 files changed, 11 insertions(+), 45 deletions(-)
+
+diff --git a/src/header-zone b/src/header-zone
+index ead4a32..7ad3e39 100644
+--- a/src/header-zone
++++ b/src/header-zone
+@@ -34,6 +34,11 @@ hook_new() {
+ 	assert isset zone
+ 	shift
+ 
++	local ${HOOK_SETTINGS}
++
++	# Import all default variables
++	hook_set_defaults
++
+ 	if ! hook_parse_cmdline "$@"; then
+ 		return ${EXIT_ERROR}
+ 	fi
+diff --git a/src/hooks/zones/bridge b/src/hooks/zones/bridge
+index 93a3a31..33d5811 100644
+--- a/src/hooks/zones/bridge
++++ b/src/hooks/zones/bridge
+@@ -29,6 +29,7 @@ HOOK_SETTINGS="${HOOK_SETTINGS} STP_PRIORITY MTU"
+ HOOK_PORT_SETTINGS="COST PRIORITY"
+ 
+ # Default values
++DEFAULT_STP="on"
+ DEFAULT_STP_FORWARD_DELAY=0
+ DEFAULT_STP_HELLO=2
+ DEFAULT_STP_MAXAGE=20
+@@ -123,19 +124,11 @@ hook_parse_cmdline() {
+ 		shift
+ 	done
+ 
+-	# Generate a random MAC address if the user passed no one
++	# Generate a random MAC address if the user passed none
+ 	if ! isset ADDRESS; then
+ 		ADDRESS="$(mac_generate)"
+ 	fi
+ 
+-	# Enable Spanning Tree Protocol by default
+-	if ! isset STP; then
+-		STP="on"
+-	fi
+-
+-	# Set all other defaults
+-	hook_set_defaults
+-
+ 	return ${EXIT_OK}
+ }
+ 
+diff --git a/src/hooks/zones/ip-tunnel b/src/hooks/zones/ip-tunnel
+index c9c73ba..e4be361 100644
+--- a/src/hooks/zones/ip-tunnel
++++ b/src/hooks/zones/ip-tunnel
+@@ -26,13 +26,7 @@ SUPPORTED_IP_TUNNEL_MODES="gre vti"
+ HOOK_SETTINGS="HOOK MARK MODE PEER LOCAL_ADDRESS"
+ 
+ # Default mode of the tunnel
+-MODE="gre"
+-
+-# The IP address of the tunnel endpoint where to connect to
+-PEER=
+-
+-# The local IP address of the tunnel endpoint
+-LOCAL_ADDRESS=
++DEFAULT_MODE="gre"
+ 
+ hook_check_settings() {
+ 	assert isset MODE && assert isoneof MODE ${SUPPORTED_IP_TUNNEL_MODES}
+diff --git a/src/hooks/zones/modem b/src/hooks/zones/modem
+index 1b4c3c0..50d43c7 100644
+--- a/src/hooks/zones/modem
++++ b/src/hooks/zones/modem
+@@ -27,47 +27,37 @@ MODEM_ALLOWED_AUTH_METHODS="${PPP_ALLOWED_AUTH_METHODS}"
+ HOOK_SETTINGS="HOOK"
+ 
+ # Access Point Name.
+-APN=
+ HOOK_SETTINGS="${HOOK_SETTINGS} APN"
+ 
+ # Sets the authentication algortihm that must be used.
+-AUTH=
+ HOOK_SETTINGS="${HOOK_SETTINGS} AUTH"
+ 
+ # Baudrate.
+-BAUDRATE=921600
++DEFAULT_BAUDRATE=921600
+ HOOK_SETTINGS="${HOOK_SETTINGS} BAUDRATE"
+ 
+ # The device name of the serial device.
+ # XXX how can we make sure that this does not change all the time?
+-DEVICE=
+ HOOK_SETTINGS="${HOOK_SETTINGS} DEVICE"
+ 
+ # A monitor device.
+ # Send AT commands to this device, when the primary device is
+ # connected.
+-MONITOR_DEVICE=
+ HOOK_SETTINGS="${HOOK_SETTINGS} MONITOR_DEVICE"
+ 
+ # Maximum transmission unit.
+-MTU=
+ HOOK_SETTINGS="${HOOK_SETTINGS} MTU"
+ 
+ # User credentials.
+-USERNAME=
+-PASSWORD=
+ HOOK_SETTINGS="${HOOK_SETTINGS} USERNAME PASSWORD"
+ 
+ # PIN code.
+-PIN=
+ HOOK_SETTINGS="${HOOK_SETTINGS} PIN"
+ 
+ # Phone number.
+-PHONE_NUMBER=
+ HOOK_SETTINGS="${HOOK_SETTINGS} PHONE_NUMBER"
+ 
+ # IMSI
+-IMSI=
+ HOOK_SETTINGS="${HOOK_SETTINGS} IMSI"
+ 
+ hook_check_settings() {
+diff --git a/src/hooks/zones/pppoe b/src/hooks/zones/pppoe
+index e113c92..cd3913b 100644
+--- a/src/hooks/zones/pppoe
++++ b/src/hooks/zones/pppoe
+@@ -24,31 +24,15 @@
+ HOOK_SETTINGS="HOOK ACCESS_CONCENTRATOR AUTH USERNAME PASSWORD"
+ HOOK_SETTINGS="${HOOK_SETTINGS} SERVICE_NAME MTU IPV6 PREFIX_DELEGATION"
+ 
+-# User credentials for the dialin.
+-USERNAME=""
+-PASSWORD=""
+-
+-# Set the authentication mechanism.
+-AUTH=
+-
+-# Access Concentrator.
+-ACCESS_CONCENTRATOR=""
+-
+-# Service name.
+-SERVICE_NAME=""
+-
+-# Maximum Transmission Unit.
+-MTU=
+-
+ # This hook can work with all authentication methods supported by pppd.
+ PPPOE_SUPPORTED_AUTH_METHODS="${PPP_SUPPORTED_AUTH_METHODS}"
+ PPPOE_PLUGIN="rp-pppoe.so"
+ 
+ # Request an IPv6 address.
+-IPV6="true"
++DEFAULT_IPV6="true"
+ 
+ # Use IPv6 prefix delegation.
+-PREFIX_DELEGATION="true"
++DEFAULT_PREFIX_DELEGATION="true"
+ 
+ hook_check_settings() {
+ 	assert isset USERNAME
+-- 
+2.39.2
+
diff --git a/network/patches/0036-Convert-HOOK_SETTINGS-into-an-array.patch b/network/patches/0036-Convert-HOOK_SETTINGS-into-an-array.patch
new file mode 100644
index 000000000..ad1fc9ade
--- /dev/null
+++ b/network/patches/0036-Convert-HOOK_SETTINGS-into-an-array.patch
@@ -0,0 +1,628 @@ 
+From d389e96b6c0a73fefd907bc99401b4ce4021bf97 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sat, 30 Mar 2019 13:49:08 +0100
+Subject: [PATCH 036/304] Convert HOOK_SETTINGS into an array
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.hook  |  2 +-
+ src/functions/functions.ports |  4 +--
+ src/functions/functions.zone  |  6 ++---
+ src/header-port               | 10 ++++----
+ src/header-zone               |  2 +-
+ src/hooks/ports/bonding       | 20 +++++++++------
+ src/hooks/ports/dummy         | 10 +++++---
+ src/hooks/ports/ethernet      | 19 +++++++++------
+ src/hooks/ports/ip-tunnel     | 16 ++++++++----
+ src/hooks/ports/vlan          | 14 +++++++----
+ src/hooks/ports/wireless-ap   | 19 ++++++++++++---
+ src/hooks/ports/wireless-mesh | 12 ++++++---
+ src/hooks/zones/bridge        | 17 ++++++++++---
+ src/hooks/zones/ip-tunnel     |  7 +++++-
+ src/hooks/zones/modem         | 46 ++++++++++-------------------------
+ src/hooks/zones/pppoe         | 12 +++++++--
+ src/hooks/zones/wireless      |  5 +++-
+ 17 files changed, 132 insertions(+), 89 deletions(-)
+
+diff --git a/src/functions/functions.hook b/src/functions/functions.hook
+index c0ebfcb..fb68037 100644
+--- a/src/functions/functions.hook
++++ b/src/functions/functions.hook
+@@ -127,7 +127,7 @@ hook_help() {
+ # Sets all settings in HOOK_SETTINGS to their DEFAULT_* values
+ hook_set_defaults() {
+ 	local setting
+-	for setting in ${HOOK_SETTINGS}; do
++	for setting in ${HOOK_SETTINGS[*]}; do
+ 		local default="DEFAULT_${setting}"
+ 
+ 		# Sets the default or empty
+diff --git a/src/functions/functions.ports b/src/functions/functions.ports
+index f70adf6..fb22715 100644
+--- a/src/functions/functions.ports
++++ b/src/functions/functions.ports
+@@ -85,7 +85,7 @@ port_settings_read() {
+ 	# Save the HOOK variable.
+ 	local hook="${HOOK}"
+ 
+-	settings_read "$(port_file "${port}")" ${HOOK_SETTINGS}
++	settings_read "$(port_file "${port}")" ${HOOK_SETTINGS[*]}
+ 
+ 	# Restore hook.
+ 	HOOK="${hook}"
+@@ -100,7 +100,7 @@ port_settings_write() {
+ 	if function_exists "hook_check_settings"; then
+ 		list_append args "--check=\"hook_check_settings\""
+ 	fi
+-	list_append args HOOK ${HOOK_SETTINGS}
++	list_append args HOOK ${HOOK_SETTINGS[*]}
+ 
+ 	settings_write "$(port_file "${port}")" ${args}
+ }
+diff --git a/src/functions/functions.zone b/src/functions/functions.zone
+index 57e0b71..a0d3cfb 100644
+--- a/src/functions/functions.zone
++++ b/src/functions/functions.zone
+@@ -1248,8 +1248,8 @@ zone_settings_read() {
+ 	shift
+ 
+ 	local args
+-	if [ $# -eq 0 ] && [ -n "${HOOK_SETTINGS}" ]; then
+-		list_append args ${HOOK_SETTINGS}
++	if [ $# -eq 0 ] && [ -n "${HOOK_SETTINGS[*]}" ]; then
++		list_append args ${HOOK_SETTINGS[*]}
+ 	else
+ 		list_append args "$@"
+ 	fi
+@@ -1271,7 +1271,7 @@ zone_settings_write() {
+ 	if function_exists "hook_check_settings"; then
+ 		list_append args "--check=\"hook_check_settings\""
+ 	fi
+-	list_append args ${HOOK_SETTINGS}
++	list_append args HOOK ${HOOK_SETTINGS[*]}
+ 
+ 	settings_write "${NETWORK_ZONES_DIR}/${zone}/settings" ${args}
+ }
+diff --git a/src/header-port b/src/header-port
+index 141228a..2d8a820 100644
+--- a/src/header-port
++++ b/src/header-port
+@@ -43,7 +43,7 @@ hook_hotplug_rename() {
+ }
+ 
+ hook_default_new() {
+-	local ${HOOK_SETTINGS}
++	local ${HOOK_SETTINGS[*]}
+ 
+ 	# Import all default variables
+ 	hook_set_defaults
+@@ -57,7 +57,7 @@ hook_default_new() {
+ 	local port=$(port_find_free ${HOOK_PORT_PATTERN})
+ 	assert isset port
+ 
+-	port_settings_write "${port}" ${HOOK_SETTINGS}
++	port_settings_write "${port}" ${HOOK_SETTINGS[*]}
+ 
+ 	exit ${EXIT_OK}
+ }
+@@ -72,7 +72,7 @@ hook_default_edit() {
+ 	shift
+ 
+ 	# Read settings
+-	if ! port_settings_read "${port}" ${HOOK_SETTINGS}; then
++	if ! port_settings_read "${port}" ${HOOK_SETTINGS[*]}; then
+ 		error "Could not read settings for port ${port}"
+ 		return ${EXIT_ERROR}
+ 	fi
+@@ -83,7 +83,7 @@ hook_default_edit() {
+ 	fi
+ 
+ 	# Save settings
+-	if ! port_settings_write "${port}" ${HOOK_SETTINGS}; then
++	if ! port_settings_write "${port}" ${HOOK_SETTINGS[*]}; then
+ 		error "Could not write settings for port ${port}"
+ 		return ${EXIT_ERROR}
+ 	fi
+@@ -102,7 +102,7 @@ hook_edit() {
+ hook_children() {
+ 	local port="${1}"
+ 
+-	if ! port_settings_read "${port}" ${HOOK_SETTINGS}; then
++	if ! port_settings_read "${port}" ${HOOK_SETTINGS[*]}; then
+ 		log ERROR "Could not read port settings: ${port}"
+ 		return ${EXIT_OK}
+ 	fi
+diff --git a/src/header-zone b/src/header-zone
+index 7ad3e39..2174b01 100644
+--- a/src/header-zone
++++ b/src/header-zone
+@@ -34,7 +34,7 @@ hook_new() {
+ 	assert isset zone
+ 	shift
+ 
+-	local ${HOOK_SETTINGS}
++	local ${HOOK_SETTINGS[*]}
+ 
+ 	# Import all default variables
+ 	hook_set_defaults
+diff --git a/src/hooks/ports/bonding b/src/hooks/ports/bonding
+index f0572c3..09fb74f 100644
+--- a/src/hooks/ports/bonding
++++ b/src/hooks/ports/bonding
+@@ -21,7 +21,13 @@
+ 
+ . /usr/lib/network/header-port
+ 
+-HOOK_SETTINGS="ADDRESS MIIMON MODE OFFLOADING SLAVES"
++HOOK_SETTINGS=(
++	"ADDRESS"
++	"MIIMON"
++	"MODE"
++	"OFFLOADING"
++	"SLAVES"
++)
+ 
+ DEFAULT_MIIMON=100
+ DEFAULT_MODE="balance-rr"
+@@ -110,7 +116,7 @@ hook_new() {
+ 	assert isset port
+ 
+ 	# Save configuration
+-	if port_settings_write "${port}" ${HOOK_SETTINGS}; then
++	if port_settings_write "${port}" ${HOOK_SETTINGS[*]}; then
+ 		log INFO "New port ${port} has been created"
+ 	else
+ 		error "Could not save configuration for ${port}"
+@@ -162,7 +168,7 @@ hook_create() {
+ 	# Exit silently if the device already exists
+ 	device_exists "${port}" && exit ${EXIT_OK}
+ 
+-	port_settings_read "${port}" ${HOOK_SETTINGS}
++	port_settings_read "${port}" ${HOOK_SETTINGS[*]}
+ 
+ 	# Create the bonding devices
+ 	bonding_create "${port}" \
+@@ -178,7 +184,7 @@ hook_remove() {
+ 	local port="${1}"
+ 	assert isset port
+ 
+-	port_settings_read "${port}" ${HOOK_SETTINGS}
++	port_settings_read "${port}" ${HOOK_SETTINGS[*]}
+ 
+ 	# Remove the bonding device
+ 	if device_exists "${port}"; then
+@@ -190,7 +196,7 @@ hook_up() {
+ 	local port="${1}"
+ 	assert isset port
+ 
+-	port_settings_read "${port}" ${HOOK_SETTINGS}
++	port_settings_read "${port}" ${HOOK_SETTINGS[*]}
+ 
+ 	# Auto-enable or disable hardware offloading
+ 	if ! isset OFFLOADING || enabled OFFLOADING; then
+@@ -213,7 +219,7 @@ hook_down() {
+ 	local port="${1}"
+ 	assert isset port
+ 
+-	port_settings_read "${port}" ${HOOK_SETTINGS}
++	port_settings_read "${port}" ${HOOK_SETTINGS[*]}
+ 
+ 	# Bring down all slaves
+ 	local slave
+@@ -234,7 +240,7 @@ hook_hotplug() {
+ 			# Handle events of the same interface
+ 			if hotplug_event_port_is_interface "${port}"; then
+ 				# Read configuration
+-				port_settings_read "${port}" ${HOOK_SETTINGS}
++				port_settings_read "${port}" ${HOOK_SETTINGS[*]}
+ 
+ 				# Bring up all slaves
+ 				# Attach those which already exist and try to create
+diff --git a/src/hooks/ports/dummy b/src/hooks/ports/dummy
+index 61d2f94..1c4b3c9 100644
+--- a/src/hooks/ports/dummy
++++ b/src/hooks/ports/dummy
+@@ -21,7 +21,9 @@
+ 
+ . /usr/lib/network/header-port
+ 
+-HOOK_SETTINGS="ADDRESS"
++HOOK_SETTINGS=(
++	"ADDRESS"
++)
+ 
+ hook_check_settings() {
+ 	assert ismac ADDRESS
+@@ -60,7 +62,7 @@ hook_new() {
+ 	local port=$(port_find_free ${DUMMY_PORT_PATTERN})
+ 	assert isset port
+ 
+-	if port_settings_write "${port}" ${HOOK_SETTINGS}; then
++	if port_settings_write "${port}" ${HOOK_SETTINGS[*]}; then
+ 		log INFO "New dummy port '${port}' has been created"
+ 	fi
+ 
+@@ -72,7 +74,7 @@ hook_create() {
+ 	assert isset port
+ 
+ 	# Read configuration
+-	port_settings_read "${port}" ${HOOK_SETTINGS}
++	port_settings_read "${port}" ${HOOK_SETTINGS[*]}
+ 
+ 	# Create the dummy device
+ 	dummy_create "${port}" "${ADDRESS}"
+@@ -115,7 +117,7 @@ hook_hotplug_rename() {
+ 	local device=${2}
+ 	assert isset device
+ 
+-	port_settings_read "${port}" ${HOOK_SETTINGS}
++	port_settings_read "${port}" ${HOOK_SETTINGS[*]}
+ 
+ 	if [ "${ADDRESS}" = "$(device_get_address ${device})" ]; then
+ 		log DEBUG "Device '${device}' equals port '${port}'."
+diff --git a/src/hooks/ports/ethernet b/src/hooks/ports/ethernet
+index 0d9c5cd..f3e3f9f 100644
+--- a/src/hooks/ports/ethernet
++++ b/src/hooks/ports/ethernet
+@@ -21,10 +21,13 @@
+ 
+ . /usr/lib/network/header-port
+ 
+-# DEVICE equals the actual MAC address of the device.
+-# If ADDRESS is set, the device will get ADDRESS set for its MAC address.
+-
+-HOOK_SETTINGS="ADDRESS ADVERTISED_LINK_SPEEDS DEVICE OFFLOADING MTU"
++HOOK_SETTINGS=(
++	"ADDRESS"
++	"ADVERTISED_LINK_SPEEDS"
++	"DEVICE"
++	"OFFLOADING"
++	"MTU"
++)
+ 
+ hook_check_settings() {
+ 	assert ismac DEVICE
+@@ -114,7 +117,7 @@ hook_new() {
+ 
+ 	local DEVICE="$(device_get_address "${device}")"
+ 
+-	if ! port_settings_write "${port}" ${HOOK_SETTINGS}; then
++	if ! port_settings_write "${port}" ${HOOK_SETTINGS[*]}; then
+ 		log ERROR "Could not write settings for port ${port}"
+ 		return ${EXIT_ERROR}
+ 	fi
+@@ -129,8 +132,8 @@ hook_create() {
+ hook_up() {
+ 	local port="${1}"
+ 
+-	local ${HOOK_SETTINGS}
+-	if ! port_settings_read "${port}" ${HOOK_SETTINGS}; then
++	local ${HOOK_SETTINGS[*]}
++	if ! port_settings_read "${port}" ${HOOK_SETTINGS[*]}; then
+ 		log ERROR "Could not read settings for port ${port}"
+ 		return ${EXIT_ERROR}
+ 	fi
+@@ -177,7 +180,7 @@ hook_hotplug_rename() {
+ 	assert isset device
+ 
+ 	# Read in the conifguration file.
+-	port_settings_read "${port}" ${HOOK_SETTINGS}
++	port_settings_read "${port}" ${HOOK_SETTINGS[*]}
+ 
+ 	# Get the current MAC address of the device.
+ 	local address=$(device_get_address ${device})
+diff --git a/src/hooks/ports/ip-tunnel b/src/hooks/ports/ip-tunnel
+index 3943e4c..b426963 100644
+--- a/src/hooks/ports/ip-tunnel
++++ b/src/hooks/ports/ip-tunnel
+@@ -23,7 +23,13 @@
+ 
+ SUPPORTED_IP_TUNNEL_MODES="gretap"
+ 
+-HOOK_SETTINGS="ADDRESS MARK MODE PEER LOCAL_ADDRESS"
++HOOK_SETTINGS=(
++	"ADDRESS"
++	"MARK"
++	"MODE"
++	"PEER"
++	"LOCAL_ADDRESS"
++)
+ 
+ hook_check_settings() {
+ 	assert isset MODE
+@@ -108,8 +114,8 @@ hook_create() {
+ 	local port="${1}"
+ 	assert isset port
+ 
+-	local ${HOOK_SETTINGS}
+-	if ! port_settings_read "${port}" ${HOOK_SETTINGS}; then
++	local ${HOOK_SETTINGS[*]}
++	if ! port_settings_read "${port}" ${HOOK_SETTINGS[*]}; then
+ 		log ERROR "Could not read settings for port ${port}"
+ 		return ${EXIT_ERROR}
+ 	fi
+@@ -146,8 +152,8 @@ hook_hotplug_rename() {
+ 	local device="${2}"
+ 	assert isset device
+ 
+-	local ${HOOK_SETTINGS}
+-	if ! port_settings_read "${port}" ${HOOK_SETTINGS}; then
++	local ${HOOK_SETTINGS[*]}
++	if ! port_settings_read "${port}" ${HOOK_SETTINGS[*]}; then
+ 		log ERROR "Could not read settings for port ${port}"
+ 		return ${EXIT_ERROR}
+ 	fi
+diff --git a/src/hooks/ports/vlan b/src/hooks/ports/vlan
+index bc12a9e..e9aa545 100644
+--- a/src/hooks/ports/vlan
++++ b/src/hooks/ports/vlan
+@@ -21,7 +21,11 @@
+ 
+ . /usr/lib/network/header-port
+ 
+-HOOK_SETTINGS="ADDRESS PARENT_DEVICE TAG"
++HOOK_SETTINGS=(
++	"ADDRESS"
++	"PARENT_DEVICE"
++	"TAG"
++)
+ 
+ PORT_PARENTS_VAR="PARENT"
+ 
+@@ -68,7 +72,7 @@ hook_new() {
+ 
+ 	local port="${PARENT_DEVICE}${VLAN_PORT_INTERFIX}${TAG}"
+ 
+-	port_settings_write "${port}" ${HOOK_SETTINGS}
++	port_settings_write "${port}" ${HOOK_SETTINGS[*]}
+ 
+ 	exit ${EXIT_OK}
+ }
+@@ -78,7 +82,7 @@ hook_edit() {
+ 	assert isset port
+ 	shift
+ 
+-	port_settings_read "${port}" ${HOOK_SETTINGS}
++	port_settings_read "${port}" ${HOOK_SETTINGS[*]}
+ 
+ 	while [ $# -gt 0 ]; do
+ 		case "${1}" in
+@@ -92,7 +96,7 @@ hook_edit() {
+ 		shift
+ 	done
+ 
+-	port_settings_write "${port}" ${HOOK_SETTINGS}
++	port_settings_write "${port}" ${HOOK_SETTINGS[*]}
+ 
+ 	exit ${EXIT_OK}	
+ }
+@@ -104,7 +108,7 @@ hook_create() {
+ 	device_exists "${port}" && exit ${EXIT_OK}
+ 
+ 	# Read configruation
+-	port_settings_read "${port}" ${HOOK_SETTINGS}
++	port_settings_read "${port}" ${HOOK_SETTINGS[*]}
+ 
+ 	# Create the VLAN device
+ 	vlan_create "${port}" "${PARENT_DEVICE}" "${TAG}" "${ADDRESS}"
+diff --git a/src/hooks/ports/wireless-ap b/src/hooks/ports/wireless-ap
+index 2bb4977..8d495d2 100644
+--- a/src/hooks/ports/wireless-ap
++++ b/src/hooks/ports/wireless-ap
+@@ -23,9 +23,20 @@
+ 
+ HOOK_PORT_PATTERN="${PORT_PATTERN_ACCESSPOINT}"
+ 
+-HOOK_SETTINGS="ADDRESS BROADCAST_SSID CHANNEL CHANNEL_BANDWIDTH DFS MODE PHY"
+-HOOK_SETTINGS="${HOOK_SETTINGS} ENCRYPTION ENVIRONMENT KEY SSID"
+-HOOK_SETTINGS="${HOOK_SETTINGS} MFP"
++HOOK_SETTINGS=(
++	"ADDRESS"
++	"BROADCAST_SSID"
++	"CHANNEL"
++	"CHANNEL_BANDWIDTH"
++	"DFS"
++	"ENCRYPTION"
++	"ENVIRONMENT"
++	"KEY"
++	"MFP"
++	"MODE"
++	"PHY"
++	"SSID"
++)
+ 
+ # Broadcast SSID by default
+ DEFAULT_BROADCAST_SSID="on"
+@@ -186,7 +197,7 @@ hook_create() {
+ 
+ 	device_exists "${port}" && exit ${EXIT_OK}
+ 
+-	port_settings_read "${port}" ${HOOK_SETTINGS}
++	port_settings_read "${port}" ${HOOK_SETTINGS[*]}
+ 
+ 	# Check if the PHY is present.
+ 	local phy=$(phy_get ${PHY})
+diff --git a/src/hooks/ports/wireless-mesh b/src/hooks/ports/wireless-mesh
+index 4fb4dc9..306263d 100644
+--- a/src/hooks/ports/wireless-mesh
++++ b/src/hooks/ports/wireless-mesh
+@@ -23,7 +23,13 @@
+ 
+ HOOK_PORT_PATTERN="${PORT_PATTERN_MESH}"
+ 
+-HOOK_SETTINGS="ADDRESS MESH_ID CHANNEL PHY PSK"
++HOOK_SETTINGS=(
++	"ADDRESS"
++	"CHANNEL"
++	"MESH_ID"
++	"PHY"
++	"PSK"
++)
+ 
+ hook_check_settings() {
+ 	assert ismac ADDRESS
+@@ -84,7 +90,7 @@ hook_create() {
+ 	assert isset port
+ 
+ 	# Read settings
+-	port_settings_read "${port}" ${HOOK_SETTINGS}
++	port_settings_read "${port}" ${HOOK_SETTINGS[*]}
+ 
+ 	# Check if the PHY is present.
+ 	local phy="$(phy_get "${PHY}")"
+@@ -143,7 +149,7 @@ hook_hotplug() {
+ 	local port="${1}"
+ 	assert isset port
+ 
+-	port_settings_read "${port}" ${HOOK_SETTINGS}
++	port_settings_read "${port}" ${HOOK_SETTINGS[*]}
+ 
+ 	case "$(hotplug_action)" in
+ 		add)
+diff --git a/src/hooks/zones/bridge b/src/hooks/zones/bridge
+index 33d5811..0b18331 100644
+--- a/src/hooks/zones/bridge
++++ b/src/hooks/zones/bridge
+@@ -23,10 +23,19 @@
+ 
+ HOOK_MANPAGE="network-zone-bridge"
+ 
+-HOOK_SETTINGS="HOOK ADDRESS STP STP_FORWARD_DELAY STP_HELLO STP_MAXAGE"
+-HOOK_SETTINGS="${HOOK_SETTINGS} STP_PRIORITY MTU"
+-
+-HOOK_PORT_SETTINGS="COST PRIORITY"
++HOOK_SETTINGS=(
++	"ADDRESS"
++	"STP"
++	"STP_FORWARD_DELAY"
++	"STP_HELLO STP_MAXAGE"
++	"STP_PRIORITY"
++	"MTU"
++)
++
++HOOK_PORT_SETTINGS=(
++	"COST"
++	"PRIORITY"
++)
+ 
+ # Default values
+ DEFAULT_STP="on"
+diff --git a/src/hooks/zones/ip-tunnel b/src/hooks/zones/ip-tunnel
+index e4be361..634154e 100644
+--- a/src/hooks/zones/ip-tunnel
++++ b/src/hooks/zones/ip-tunnel
+@@ -23,7 +23,12 @@
+ 
+ SUPPORTED_IP_TUNNEL_MODES="gre vti"
+ 
+-HOOK_SETTINGS="HOOK MARK MODE PEER LOCAL_ADDRESS"
++HOOK_SETTINGS=(
++	"MARK"
++	"MODE"
++	"PEER"
++	"LOCAL_ADDRESS"
++)
+ 
+ # Default mode of the tunnel
+ DEFAULT_MODE="gre"
+diff --git a/src/hooks/zones/modem b/src/hooks/zones/modem
+index 50d43c7..e12b104 100644
+--- a/src/hooks/zones/modem
++++ b/src/hooks/zones/modem
+@@ -24,41 +24,21 @@
+ # Modems support all authentication methods, that pppd does support.
+ MODEM_ALLOWED_AUTH_METHODS="${PPP_ALLOWED_AUTH_METHODS}"
+ 
+-HOOK_SETTINGS="HOOK"
++HOOK_SETTINGS=(
++	"APN"
++	"AUTH"
++	"BAUDRATE"
++	"DEVICE"
++	"MONITOR_DEVICE"
++	"MTU"
++	"USERNAME"
++	"PASSWORD"
++	"PIN"
++	"PHONE_NUMBER"
++	"IMSI"
++)
+ 
+-# Access Point Name.
+-HOOK_SETTINGS="${HOOK_SETTINGS} APN"
+-
+-# Sets the authentication algortihm that must be used.
+-HOOK_SETTINGS="${HOOK_SETTINGS} AUTH"
+-
+-# Baudrate.
+ DEFAULT_BAUDRATE=921600
+-HOOK_SETTINGS="${HOOK_SETTINGS} BAUDRATE"
+-
+-# The device name of the serial device.
+-# XXX how can we make sure that this does not change all the time?
+-HOOK_SETTINGS="${HOOK_SETTINGS} DEVICE"
+-
+-# A monitor device.
+-# Send AT commands to this device, when the primary device is
+-# connected.
+-HOOK_SETTINGS="${HOOK_SETTINGS} MONITOR_DEVICE"
+-
+-# Maximum transmission unit.
+-HOOK_SETTINGS="${HOOK_SETTINGS} MTU"
+-
+-# User credentials.
+-HOOK_SETTINGS="${HOOK_SETTINGS} USERNAME PASSWORD"
+-
+-# PIN code.
+-HOOK_SETTINGS="${HOOK_SETTINGS} PIN"
+-
+-# Phone number.
+-HOOK_SETTINGS="${HOOK_SETTINGS} PHONE_NUMBER"
+-
+-# IMSI
+-HOOK_SETTINGS="${HOOK_SETTINGS} IMSI"
+ 
+ hook_check_settings() {
+ 	assert isset DEVICE
+diff --git a/src/hooks/zones/pppoe b/src/hooks/zones/pppoe
+index cd3913b..4f7ae51 100644
+--- a/src/hooks/zones/pppoe
++++ b/src/hooks/zones/pppoe
+@@ -21,8 +21,16 @@
+ 
+ . /usr/lib/network/header-zone
+ 
+-HOOK_SETTINGS="HOOK ACCESS_CONCENTRATOR AUTH USERNAME PASSWORD"
+-HOOK_SETTINGS="${HOOK_SETTINGS} SERVICE_NAME MTU IPV6 PREFIX_DELEGATION"
++HOOK_SETTINGS=(
++	"ACCESS_CONCENTRATOR"
++	"AUTH"
++	"USERNAME"
++	"PASSWORD"
++	"SERVICE_NAME"
++	"MTU"
++	"IPV6"
++	"PREFIX_DELEGATION"
++)
+ 
+ # This hook can work with all authentication methods supported by pppd.
+ PPPOE_SUPPORTED_AUTH_METHODS="${PPP_SUPPORTED_AUTH_METHODS}"
+diff --git a/src/hooks/zones/wireless b/src/hooks/zones/wireless
+index 553d917..9c52dce 100644
+--- a/src/hooks/zones/wireless
++++ b/src/hooks/zones/wireless
+@@ -21,7 +21,10 @@
+ 
+ . /usr/lib/network/header-zone
+ 
+-HOOK_SETTINGS="HOOK ADDRESS PHY"
++HOOK_SETTINGS=(
++	"ADDRESS"
++	"PHY"
++)
+ 
+ hook_check_settings() {
+ 	assert ismac ADDRESS
+-- 
+2.39.2
+
diff --git a/network/patches/0037-settings-Some-code-refactoring.patch b/network/patches/0037-settings-Some-code-refactoring.patch
new file mode 100644
index 000000000..e3f473f0b
--- /dev/null
+++ b/network/patches/0037-settings-Some-code-refactoring.patch
@@ -0,0 +1,133 @@ 
+From 227d458f4fac10cbf0970515edd3227913fc1bf4 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sat, 30 Mar 2019 14:04:35 +0100
+Subject: [PATCH 037/304] settings: Some code refactoring
+
+No functional changes
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.hook  | 13 +++++++++++++
+ src/functions/functions.ports | 10 ++--------
+ src/functions/functions.zone  | 32 ++++++++------------------------
+ 3 files changed, 23 insertions(+), 32 deletions(-)
+
+diff --git a/src/functions/functions.hook b/src/functions/functions.hook
+index fb68037..11887cd 100644
+--- a/src/functions/functions.hook
++++ b/src/functions/functions.hook
+@@ -124,6 +124,19 @@ hook_help() {
+ 	exit $?
+ }
+ 
++# Dummy functions being overlayed by hooks
++hook_check_settings() {
++	:
++}
++
++hook_check_config_settings() {
++	:
++}
++
++hook_check_port_settings() {
++	:
++}
++
+ # Sets all settings in HOOK_SETTINGS to their DEFAULT_* values
+ hook_set_defaults() {
+ 	local setting
+diff --git a/src/functions/functions.ports b/src/functions/functions.ports
+index fb22715..d8a9140 100644
+--- a/src/functions/functions.ports
++++ b/src/functions/functions.ports
+@@ -94,15 +94,9 @@ port_settings_read() {
+ port_settings_write() {
+ 	local port="${1}"
+ 	assert isset port
+-	shift
+-
+-	local args
+-	if function_exists "hook_check_settings"; then
+-		list_append args "--check=\"hook_check_settings\""
+-	fi
+-	list_append args HOOK ${HOOK_SETTINGS[*]}
+ 
+-	settings_write "$(port_file "${port}")" ${args}
++	settings_write "$(port_file "${port}")" \
++		--check="hook_check_settings" HOOK ${HOOK_SETTINGS[*]}
+ }
+ 
+ port_file() {
+diff --git a/src/functions/functions.zone b/src/functions/functions.zone
+index a0d3cfb..e81371b 100644
+--- a/src/functions/functions.zone
++++ b/src/functions/functions.zone
+@@ -1267,13 +1267,8 @@ zone_settings_write() {
+ 	local zone="${1}"
+ 	assert isset zone
+ 
+-	local args
+-	if function_exists "hook_check_settings"; then
+-		list_append args "--check=\"hook_check_settings\""
+-	fi
+-	list_append args HOOK ${HOOK_SETTINGS[*]}
+-
+-	settings_write "${NETWORK_ZONES_DIR}/${zone}/settings" ${args}
++	settings_write "${NETWORK_ZONES_DIR}/${zone}/settings" \
++		--check="hook_check_settings" HOOK ${HOOK_SETTINGS[*]}
+ }
+ 
+ zone_settings_set() {
+@@ -1328,7 +1323,7 @@ zone_config_settings_read() {
+ }
+ 
+ zone_config_settings_write() {
+-	assert [ $# -ge 2 ]
++	assert [ $# -eq 2 ]
+ 
+ 	local zone="${1}"
+ 	local hook="${2}"
+@@ -1336,14 +1331,9 @@ zone_config_settings_write() {
+ 
+ 	assert isset id
+ 
+-	local args
+-	if function_exists "hook_check_config_settings"; then
+-		list_append args "--check=\"hook_check_config_settings\""
+-	fi
+-	list_append args ${HOOK_CONFIG_SETTINGS}
+-
+ 	local path="${NETWORK_ZONES_DIR}/${zone}/configs/${hook}.${id}"
+-	settings_write "${path}" ${args}
++	settings_write "${path}" \
++		--check="hook_check_config_settings" ${HOOK_CONFIG_SETTINGS[*]}
+ }
+ 
+ zone_config_settings_destroy() {
+@@ -1416,20 +1406,14 @@ zone_port_settings_read() {
+ }
+ 
+ zone_port_settings_write() {
+-	assert [ $# -ge 2 ]
++	assert [ $# -eq 2 ]
+ 
+ 	local zone="${1}"
+ 	local port="${2}"
+-	shift 2
+-
+-	local args
+-	if function_exists "hook_check_port_settings"; then
+-		list_append args "--check=\"hook_check_port_settings\""
+-	fi
+-	list_append args ${HOOK_PORT_SETTINGS}
+ 
+ 	local path="${NETWORK_ZONES_DIR}/${zone}/ports/${port}"
+-	settings_write "${path}" ${args}
++	settings_write "${path}" \
++		--check="hook_check_port_settings" ${HOOK_PORT_SETTINGS[*]}
+ }
+ 
+ zone_port_settings_remove() {
+-- 
+2.39.2
+
diff --git a/network/patches/0038-ports-Drop-HOOK_SETTINGS-variable.patch b/network/patches/0038-ports-Drop-HOOK_SETTINGS-variable.patch
new file mode 100644
index 000000000..87b3a1f12
--- /dev/null
+++ b/network/patches/0038-ports-Drop-HOOK_SETTINGS-variable.patch
@@ -0,0 +1,239 @@ 
+From eba9fa9c0b647552d8a43fb6ff5ab00c2ab21402 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sat, 30 Mar 2019 14:14:56 +0100
+Subject: [PATCH 038/304] ports: Drop HOOK_SETTINGS variable
+
+This does not need to be passed to the port_settings_* functions
+any more which makes them more easy to use
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/hooks/ports/bonding       | 12 ++++++------
+ src/hooks/ports/dummy         |  6 +++---
+ src/hooks/ports/ethernet      |  6 +++---
+ src/hooks/ports/ip-tunnel     |  4 ++--
+ src/hooks/ports/vlan          |  8 ++++----
+ src/hooks/ports/wireless-ap   |  2 +-
+ src/hooks/ports/wireless-mesh |  4 ++--
+ 7 files changed, 21 insertions(+), 21 deletions(-)
+
+diff --git a/src/hooks/ports/bonding b/src/hooks/ports/bonding
+index 09fb74f..a0cf5c0 100644
+--- a/src/hooks/ports/bonding
++++ b/src/hooks/ports/bonding
+@@ -116,7 +116,7 @@ hook_new() {
+ 	assert isset port
+ 
+ 	# Save configuration
+-	if port_settings_write "${port}" ${HOOK_SETTINGS[*]}; then
++	if port_settings_write "${port}"; then
+ 		log INFO "New port ${port} has been created"
+ 	else
+ 		error "Could not save configuration for ${port}"
+@@ -168,7 +168,7 @@ hook_create() {
+ 	# Exit silently if the device already exists
+ 	device_exists "${port}" && exit ${EXIT_OK}
+ 
+-	port_settings_read "${port}" ${HOOK_SETTINGS[*]}
++	port_settings_read "${port}"
+ 
+ 	# Create the bonding devices
+ 	bonding_create "${port}" \
+@@ -184,7 +184,7 @@ hook_remove() {
+ 	local port="${1}"
+ 	assert isset port
+ 
+-	port_settings_read "${port}" ${HOOK_SETTINGS[*]}
++	port_settings_read "${port}"
+ 
+ 	# Remove the bonding device
+ 	if device_exists "${port}"; then
+@@ -196,7 +196,7 @@ hook_up() {
+ 	local port="${1}"
+ 	assert isset port
+ 
+-	port_settings_read "${port}" ${HOOK_SETTINGS[*]}
++	port_settings_read "${port}"
+ 
+ 	# Auto-enable or disable hardware offloading
+ 	if ! isset OFFLOADING || enabled OFFLOADING; then
+@@ -219,7 +219,7 @@ hook_down() {
+ 	local port="${1}"
+ 	assert isset port
+ 
+-	port_settings_read "${port}" ${HOOK_SETTINGS[*]}
++	port_settings_read "${port}"
+ 
+ 	# Bring down all slaves
+ 	local slave
+@@ -240,7 +240,7 @@ hook_hotplug() {
+ 			# Handle events of the same interface
+ 			if hotplug_event_port_is_interface "${port}"; then
+ 				# Read configuration
+-				port_settings_read "${port}" ${HOOK_SETTINGS[*]}
++				port_settings_read "${port}"
+ 
+ 				# Bring up all slaves
+ 				# Attach those which already exist and try to create
+diff --git a/src/hooks/ports/dummy b/src/hooks/ports/dummy
+index 1c4b3c9..387c88b 100644
+--- a/src/hooks/ports/dummy
++++ b/src/hooks/ports/dummy
+@@ -62,7 +62,7 @@ hook_new() {
+ 	local port=$(port_find_free ${DUMMY_PORT_PATTERN})
+ 	assert isset port
+ 
+-	if port_settings_write "${port}" ${HOOK_SETTINGS[*]}; then
++	if port_settings_write "${port}"; then
+ 		log INFO "New dummy port '${port}' has been created"
+ 	fi
+ 
+@@ -74,7 +74,7 @@ hook_create() {
+ 	assert isset port
+ 
+ 	# Read configuration
+-	port_settings_read "${port}" ${HOOK_SETTINGS[*]}
++	port_settings_read "${port}"
+ 
+ 	# Create the dummy device
+ 	dummy_create "${port}" "${ADDRESS}"
+@@ -117,7 +117,7 @@ hook_hotplug_rename() {
+ 	local device=${2}
+ 	assert isset device
+ 
+-	port_settings_read "${port}" ${HOOK_SETTINGS[*]}
++	port_settings_read "${port}"
+ 
+ 	if [ "${ADDRESS}" = "$(device_get_address ${device})" ]; then
+ 		log DEBUG "Device '${device}' equals port '${port}'."
+diff --git a/src/hooks/ports/ethernet b/src/hooks/ports/ethernet
+index f3e3f9f..5f76e15 100644
+--- a/src/hooks/ports/ethernet
++++ b/src/hooks/ports/ethernet
+@@ -117,7 +117,7 @@ hook_new() {
+ 
+ 	local DEVICE="$(device_get_address "${device}")"
+ 
+-	if ! port_settings_write "${port}" ${HOOK_SETTINGS[*]}; then
++	if ! port_settings_write "${port}"; then
+ 		log ERROR "Could not write settings for port ${port}"
+ 		return ${EXIT_ERROR}
+ 	fi
+@@ -133,7 +133,7 @@ hook_up() {
+ 	local port="${1}"
+ 
+ 	local ${HOOK_SETTINGS[*]}
+-	if ! port_settings_read "${port}" ${HOOK_SETTINGS[*]}; then
++	if ! port_settings_read "${port}"; then
+ 		log ERROR "Could not read settings for port ${port}"
+ 		return ${EXIT_ERROR}
+ 	fi
+@@ -180,7 +180,7 @@ hook_hotplug_rename() {
+ 	assert isset device
+ 
+ 	# Read in the conifguration file.
+-	port_settings_read "${port}" ${HOOK_SETTINGS[*]}
++	port_settings_read "${port}"
+ 
+ 	# Get the current MAC address of the device.
+ 	local address=$(device_get_address ${device})
+diff --git a/src/hooks/ports/ip-tunnel b/src/hooks/ports/ip-tunnel
+index b426963..fa7193c 100644
+--- a/src/hooks/ports/ip-tunnel
++++ b/src/hooks/ports/ip-tunnel
+@@ -115,7 +115,7 @@ hook_create() {
+ 	assert isset port
+ 
+ 	local ${HOOK_SETTINGS[*]}
+-	if ! port_settings_read "${port}" ${HOOK_SETTINGS[*]}; then
++	if ! port_settings_read "${port}"; then
+ 		log ERROR "Could not read settings for port ${port}"
+ 		return ${EXIT_ERROR}
+ 	fi
+@@ -153,7 +153,7 @@ hook_hotplug_rename() {
+ 	assert isset device
+ 
+ 	local ${HOOK_SETTINGS[*]}
+-	if ! port_settings_read "${port}" ${HOOK_SETTINGS[*]}; then
++	if ! port_settings_read "${port}"; then
+ 		log ERROR "Could not read settings for port ${port}"
+ 		return ${EXIT_ERROR}
+ 	fi
+diff --git a/src/hooks/ports/vlan b/src/hooks/ports/vlan
+index e9aa545..f511986 100644
+--- a/src/hooks/ports/vlan
++++ b/src/hooks/ports/vlan
+@@ -72,7 +72,7 @@ hook_new() {
+ 
+ 	local port="${PARENT_DEVICE}${VLAN_PORT_INTERFIX}${TAG}"
+ 
+-	port_settings_write "${port}" ${HOOK_SETTINGS[*]}
++	port_settings_write "${port}"
+ 
+ 	exit ${EXIT_OK}
+ }
+@@ -82,7 +82,7 @@ hook_edit() {
+ 	assert isset port
+ 	shift
+ 
+-	port_settings_read "${port}" ${HOOK_SETTINGS[*]}
++	port_settings_read "${port}"
+ 
+ 	while [ $# -gt 0 ]; do
+ 		case "${1}" in
+@@ -96,7 +96,7 @@ hook_edit() {
+ 		shift
+ 	done
+ 
+-	port_settings_write "${port}" ${HOOK_SETTINGS[*]}
++	port_settings_write "${port}"
+ 
+ 	exit ${EXIT_OK}	
+ }
+@@ -108,7 +108,7 @@ hook_create() {
+ 	device_exists "${port}" && exit ${EXIT_OK}
+ 
+ 	# Read configruation
+-	port_settings_read "${port}" ${HOOK_SETTINGS[*]}
++	port_settings_read "${port}"
+ 
+ 	# Create the VLAN device
+ 	vlan_create "${port}" "${PARENT_DEVICE}" "${TAG}" "${ADDRESS}"
+diff --git a/src/hooks/ports/wireless-ap b/src/hooks/ports/wireless-ap
+index 8d495d2..e393f5f 100644
+--- a/src/hooks/ports/wireless-ap
++++ b/src/hooks/ports/wireless-ap
+@@ -197,7 +197,7 @@ hook_create() {
+ 
+ 	device_exists "${port}" && exit ${EXIT_OK}
+ 
+-	port_settings_read "${port}" ${HOOK_SETTINGS[*]}
++	port_settings_read "${port}"
+ 
+ 	# Check if the PHY is present.
+ 	local phy=$(phy_get ${PHY})
+diff --git a/src/hooks/ports/wireless-mesh b/src/hooks/ports/wireless-mesh
+index 306263d..35f0950 100644
+--- a/src/hooks/ports/wireless-mesh
++++ b/src/hooks/ports/wireless-mesh
+@@ -90,7 +90,7 @@ hook_create() {
+ 	assert isset port
+ 
+ 	# Read settings
+-	port_settings_read "${port}" ${HOOK_SETTINGS[*]}
++	port_settings_read "${port}"
+ 
+ 	# Check if the PHY is present.
+ 	local phy="$(phy_get "${PHY}")"
+@@ -149,7 +149,7 @@ hook_hotplug() {
+ 	local port="${1}"
+ 	assert isset port
+ 
+-	port_settings_read "${port}" ${HOOK_SETTINGS[*]}
++	port_settings_read "${port}"
+ 
+ 	case "$(hotplug_action)" in
+ 		add)
+-- 
+2.39.2
+
diff --git a/network/patches/0039-hotplug-Remove-multiple-copies-of-the-same-function.patch b/network/patches/0039-hotplug-Remove-multiple-copies-of-the-same-function.patch
new file mode 100644
index 000000000..ee5f6592e
--- /dev/null
+++ b/network/patches/0039-hotplug-Remove-multiple-copies-of-the-same-function.patch
@@ -0,0 +1,162 @@ 
+From 12f9c8d2550c8fcab536bb8b971caddfa8ee0c80 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sat, 30 Mar 2019 14:58:12 +0100
+Subject: [PATCH 039/304] hotplug: Remove multiple copies of the same function
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/header-port           | 26 ++++++++++++++++++++++++++
+ src/hooks/ports/dummy     | 36 +-----------------------------------
+ src/hooks/ports/ethernet  | 22 +---------------------
+ src/hooks/ports/ip-tunnel | 23 +----------------------
+ 4 files changed, 29 insertions(+), 78 deletions(-)
+
+diff --git a/src/header-port b/src/header-port
+index 2d8a820..d75fdd8 100644
+--- a/src/header-port
++++ b/src/header-port
+@@ -42,6 +42,32 @@ hook_hotplug_rename() {
+ 	exit ${EXIT_FALSE}
+ }
+ 
++hook_hotplug_rename_by_address() {
++	local port="${1}"
++	assert isset port
++
++	local device="${2}"
++	assert isset device
++
++	# Read in the conifguration file.
++	if ! port_settings_read "${port}"; then
++		return ${EXIT_ERROR}
++	fi
++
++	# Get the current MAC address of the device.
++	local address="$(device_get_address "${device}")"
++	assert isset address
++
++	# Check if the address matches with the configuration.
++	if list_match "${address}" "${ADDRESS}" "${DEVICE}"; then
++		log DEBUG "Device '${device}' is port '${port}'"
++		return ${EXIT_OK}
++	fi
++
++	log DEBUG "Device '${device}' is not port '${port}'"
++	return ${EXIT_ERROR}
++}
++
+ hook_default_new() {
+ 	local ${HOOK_SETTINGS[*]}
+ 
+diff --git a/src/hooks/ports/dummy b/src/hooks/ports/dummy
+index 387c88b..3688831 100644
+--- a/src/hooks/ports/dummy
++++ b/src/hooks/ports/dummy
+@@ -90,40 +90,6 @@ hook_remove() {
+ 	dummy_remove "${port}"
+ }
+ 
+-hook_up() {
+-	local port="${1}"
+-	assert isset port
+-
+-	# Bring up the port.
+-	device_set_up ${port}
+-
+-	exit ${EXIT_OK}
+-}
+-
+-hook_down() {
+-	local port="${1}"
+-	assert isset port
+-
+-	# Tear down the port.
+-	device_set_down ${port}
+-
+-	exit ${EXIT_OK}
+-}
+-
+ hook_hotplug_rename() {
+-	local port=${1}
+-	assert isset port
+-
+-	local device=${2}
+-	assert isset device
+-
+-	port_settings_read "${port}"
+-
+-	if [ "${ADDRESS}" = "$(device_get_address ${device})" ]; then
+-		log DEBUG "Device '${device}' equals port '${port}'."
+-		exit ${EXIT_OK}
+-	fi
+-
+-	log DEBUG "Device '${device}' does not equal port '${port}'."
+-	exit ${EXIT_ERROR}
++	hook_hotplug_rename_by_address "$@"
+ }
+diff --git a/src/hooks/ports/ethernet b/src/hooks/ports/ethernet
+index 5f76e15..82664fa 100644
+--- a/src/hooks/ports/ethernet
++++ b/src/hooks/ports/ethernet
+@@ -173,25 +173,5 @@ hook_remove() {
+ }
+ 
+ hook_hotplug_rename() {
+-	local port=${1}
+-	assert isset port
+-
+-	local device=${2}
+-	assert isset device
+-
+-	# Read in the conifguration file.
+-	port_settings_read "${port}"
+-
+-	# Get the current MAC address of the device.
+-	local address=$(device_get_address ${device})
+-	assert isset address
+-
+-	# Check if the address matches with the configuration.
+-	if list_match "${address}" ${DEVICE} ${ADDRESS}; then
+-		log DEBUG "Device '${device}' equals port '${port}'."
+-		exit ${EXIT_OK}
+-	fi
+-
+-	log DEBUG "Device '${device}' does not equal port '${port}'."
+-	exit ${EXIT_ERROR}
++	hook_hotplug_rename_by_address "$@"
+ }
+diff --git a/src/hooks/ports/ip-tunnel b/src/hooks/ports/ip-tunnel
+index fa7193c..482511e 100644
+--- a/src/hooks/ports/ip-tunnel
++++ b/src/hooks/ports/ip-tunnel
+@@ -146,26 +146,5 @@ hook_remove() {
+ }
+ 
+ hook_hotplug_rename() {
+-	local port="${1}"
+-	assert isset port
+-
+-	local device="${2}"
+-	assert isset device
+-
+-	local ${HOOK_SETTINGS[*]}
+-	if ! port_settings_read "${port}"; then
+-		log ERROR "Could not read settings for port ${port}"
+-		return ${EXIT_ERROR}
+-	fi
+-
+-	# Get the current MAC address of the device.
+-	local address="$(device_get_address ${device})"
+-	assert isset address
+-
+-	# Return OK on match
+-	if [ "${ADDRESS}" = "${address}" ]; then
+-		return ${EXIT_OK}
+-	fi
+-
+-	return ${EXIT_ERROR}
++	hook_hotplug_rename_by_address "$@"
+ }
+-- 
+2.39.2
+
diff --git a/network/patches/0040-wireless-ap-Remove-support-for-WPA.patch b/network/patches/0040-wireless-ap-Remove-support-for-WPA.patch
new file mode 100644
index 000000000..7ec95a7b1
--- /dev/null
+++ b/network/patches/0040-wireless-ap-Remove-support-for-WPA.patch
@@ -0,0 +1,58 @@ 
+From 66fdbcaf15d3fb7ce4a1e0f7e6299818f4638c84 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sat, 30 Mar 2019 15:02:34 +0100
+Subject: [PATCH 040/304] wireless-ap: Remove support for WPA
+
+This is a deprecated protocol and not secure.
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.hostapd | 8 +-------
+ src/hooks/ports/wireless-ap     | 2 +-
+ 2 files changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/src/functions/functions.hostapd b/src/functions/functions.hostapd
+index 79fb4db..d3eaa74 100644
+--- a/src/functions/functions.hostapd
++++ b/src/functions/functions.hostapd
+@@ -138,7 +138,7 @@ hostapd_config_write() {
+ 
+ 	# Check if key is set when encryption is used.
+ 	if isset encryption; then
+-		assert isoneof encryption WPA WPA2 WPA/WPA2
++		assert isoneof encryption WPA2
+ 		assert isset key
+ 	fi
+ 
+@@ -398,15 +398,9 @@ hostapd_config_write() {
+ 	if isset encryption; then
+ 		local encryption_mode=0
+ 		case "${encryption}" in
+-			WPA)
+-				encryption_mode=1
+-				;;
+ 			WPA2)
+ 				encryption_mode=2
+ 				;;
+-			WPA/WPA2)
+-				encryption_mode=3
+-				;;
+ 		esac
+ 
+ 		(
+diff --git a/src/hooks/ports/wireless-ap b/src/hooks/ports/wireless-ap
+index e393f5f..a964fac 100644
+--- a/src/hooks/ports/wireless-ap
++++ b/src/hooks/ports/wireless-ap
+@@ -65,7 +65,7 @@ hook_check_settings() {
+ 	assert isset SSID
+ 
+ 	if isset ENCRYPTION; then
+-		assert isoneof ENCRYPTION WPA WPA2 WPA/WPA2
++		assert isoneof ENCRYPTION WPA2
+ 
+ 		assert isset KEY
+ 		assert [ ${#KEY} -ge 8 ]
+-- 
+2.39.2
+
diff --git a/network/patches/0041-wireless-ap-Add-support-for-WPA3-and-rewrite-WPA2.patch b/network/patches/0041-wireless-ap-Add-support-for-WPA3-and-rewrite-WPA2.patch
new file mode 100644
index 000000000..55b78d002
--- /dev/null
+++ b/network/patches/0041-wireless-ap-Add-support-for-WPA3-and-rewrite-WPA2.patch
@@ -0,0 +1,280 @@ 
+From 0a4c5abab952ae0d864505f037f46cd0a27d6701 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sat, 30 Mar 2019 16:12:53 +0100
+Subject: [PATCH 041/304] wireless-ap: Add support for WPA3 and rewrite WPA2
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.hostapd   | 90 +++++++++++++++++++++----------
+ src/helpers/hostapd-config-helper |  5 +-
+ src/hooks/ports/wireless-ap       | 38 +++++++------
+ 3 files changed, 86 insertions(+), 47 deletions(-)
+
+diff --git a/src/functions/functions.hostapd b/src/functions/functions.hostapd
+index d3eaa74..6c2fbd9 100644
+--- a/src/functions/functions.hostapd
++++ b/src/functions/functions.hostapd
+@@ -61,13 +61,14 @@ hostapd_config_write() {
+ 	local channel_bandwidth
+ 	local country_code="$(wireless_get_reg_domain)"
+ 	local dfs="on"
+-	local encryption
+ 	local environment="${WIRELESS_DEFAULT_ENVIRONMENT}"
+-	local key
+ 	local mfp="off"
+ 	local mode
++	local secret
+ 	local ssid
+ 	local wmm="1"
++	local wpa2_personal="off"
++	local wpa3_personal="off"
+ 
+ 	while [ $# -gt 0 ]; do
+ 		case "${1}" in
+@@ -89,9 +90,6 @@ hostapd_config_write() {
+ 			--environment=*)
+ 				environment="$(cli_get_val "${1}")"
+ 				;;
+-			--key=*)
+-				key=$(cli_get_val "${1}")
+-				;;
+ 			--mfp=*)
+ 				mfp="$(cli_get_val "${1}")"
+ 				;;
+@@ -103,6 +101,9 @@ hostapd_config_write() {
+ 					return ${EXIT_ERROR}
+ 				fi
+ 				;;
++			--secret=*)
++				secret="$(cli_get_val "${1}")"
++				;;
+ 			--ssid=*)
+ 				ssid=$(cli_get_val "${1}")
+ 				;;
+@@ -114,6 +115,12 @@ hostapd_config_write() {
+ 					wmm="0"
+ 				fi
+ 				;;
++			--wpa2-personal=*)
++				wpa2_personal="$(cli_get_bool "${1}")"
++				;;
++			--wpa3-personal=*)
++				wpa3_personal="$(cli_get_bool "${1}")"
++				;;
+ 			*)
+ 				warning_log "Ignoring unknown argument '${1}'."
+ 				;;			
+@@ -136,12 +143,6 @@ hostapd_config_write() {
+ 	assert isset mode
+ 	assert isset ssid
+ 
+-	# Check if key is set when encryption is used.
+-	if isset encryption; then
+-		assert isoneof encryption WPA2
+-		assert isset key
+-	fi
+-
+ 	# Check wireless environment
+ 	if ! wireless_environment_is_valid "${environment}"; then
+ 		error "Invalid wireless environment: ${environment}"
+@@ -166,6 +167,12 @@ hostapd_config_write() {
+ 		return ${EXIT_ERROR}
+ 	fi
+ 
++	# Check if secret is set for personal authentication
++	if ! isset secret && (enabled WPA3_PERSONAL || enabled WPA2_PERSONAL); then
++		error "Secret not set but personal authentication enabled"
++		return ${EXIT_ERROR}
++	fi
++
+ 	# 802.11ac/n flags
+ 	local ieee80211ac
+ 	local ieee80211n
+@@ -394,27 +401,52 @@ hostapd_config_write() {
+ 		print
+ 	) >> ${file}
+ 
+-	# Encryption settings
+-	if isset encryption; then
+-		local encryption_mode=0
+-		case "${encryption}" in
+-			WPA2)
+-				encryption_mode=2
+-				;;
+-		esac
++	# Authentication Settings
++	local wpa
++	local wpa_key_mgmt
++	local wpa_passphrase
++	local sae_password
++	local wpa_strict_rekey
++
++	# WPA3 Personal
++	if enabled WPA3_PERSONAL; then
++		# Enable RSN
++		wpa="2"
++
++		# Add WPA key management
++		list_append wpa_key_mgmt "SAE"
++		sae_password="${secret}"
++	fi
++
++	# WPA2 Personal
++	if enabled WPA2_PERSONAL; then
++		# Enable RSN
++		wpa="2"
++
++		# Add WPA key management
++		list_append wpa_key_mgmt "WPA-PSK-SHA256" "WPA-PSK"
++		wpa_passphrase="${secret}"
+ 
+-		(
+-			print "# Encryption settings"
+-			print "wpa=${encryption_mode}"
+-			print "wpa_passphrase=${key}"
+-			print "wpa_key_mgmt=WPA-PSK-SHA256 WPA-PSK"
+-			print "wpa_pairwise=${pairwise_ciphers[*]}"
+-			print "rsn_pairwise=${pairwise_ciphers[*]}"
+-			print "group_cipher=${group_ciphers[*]}"
+-			print
+-		) >> ${file}
++		# Enable WPA strict rekey
++		wpa_strict_rekey="1"
+ 	fi
+ 
++	# Enable RSN ciphers when RSN is enabled
++	local rsn_pairwise
++	local group_cipher
++	if [ "${wpa}" = "2" ]; then
++		rsn_pairwise="${pairwise_ciphers[*]}"
++		group_cipher="${group_ciphers[*]}"
++	fi
++
++	local var
++	for var in wpa wpa_key_mgmt wpa_passphrase sae_password \
++			rsn_pairwise group_cipher wpa_strict_rekey; do
++		if [ -n "${!var}" ]; then
++			print "${var}=${!var}"
++		fi
++	done >> "${file}"
++
+ 	# Log configuration file
+ 	file_to_log DEBUG "${file}"
+ 
+diff --git a/src/helpers/hostapd-config-helper b/src/helpers/hostapd-config-helper
+index 7af723d..6d9f685 100644
+--- a/src/helpers/hostapd-config-helper
++++ b/src/helpers/hostapd-config-helper
+@@ -42,12 +42,13 @@ case "${action}" in
+ 			--channel="${CHANNEL}" \
+ 			--channel-bandwidth="${CHANNEL_BANDWIDTH}" \
+ 			--dfs="${DFS}" \
+-			--encryption="${ENCRYPTION}" \
+ 			--environment="${ENVIRONMENT}" \
+-			--key="${KEY}" \
++			--secret="${SECRET}" \
+ 			--mfp="${MFP}" \
+ 			--mode="${MODE}" \
+ 			--ssid="${SSID}" \
++			--wpa3-personal="${WPA3_PERSONAL}" \
++			--wpa2-personal="${WPA2_PERSONAL}" \
+ 		|| exit $?
+ 		;;
+ 
+diff --git a/src/hooks/ports/wireless-ap b/src/hooks/ports/wireless-ap
+index a964fac..7176ee5 100644
+--- a/src/hooks/ports/wireless-ap
++++ b/src/hooks/ports/wireless-ap
+@@ -29,15 +29,20 @@ HOOK_SETTINGS=(
+ 	"CHANNEL"
+ 	"CHANNEL_BANDWIDTH"
+ 	"DFS"
+-	"ENCRYPTION"
+ 	"ENVIRONMENT"
+-	"KEY"
+ 	"MFP"
+ 	"MODE"
+ 	"PHY"
++	"SECRET"
+ 	"SSID"
++	"WPA3_PERSONAL"
++	"WPA2_PERSONAL"
+ )
+ 
++# Disable WPA3+2 by default
++DEFAULT_WPA3_PERSONAL="off"
++DEFAULT_WPA2_PERSONAL="off"
++
+ # Broadcast SSID by default
+ DEFAULT_BROADCAST_SSID="on"
+ 
+@@ -64,14 +69,6 @@ hook_check_settings() {
+ 	assert ismac PHY
+ 	assert isset SSID
+ 
+-	if isset ENCRYPTION; then
+-		assert isoneof ENCRYPTION WPA2
+-
+-		assert isset KEY
+-		assert [ ${#KEY} -ge 8 ]
+-		assert [ ${#KEY} -le 63 ]
+-	fi
+-
+ 	assert wireless_environment_is_valid "${ENVIRONMENT}"
+ }
+ 
+@@ -99,9 +96,6 @@ hook_parse_cmdline() {
+ 					return ${EXIT_ERROR}
+ 				fi
+ 				;;
+-			--encryption=*)
+-				ENCRYPTION=$(cli_get_val "${1}")
+-				;;
+ 			--environment=*)
+ 				ENVIRONMENT="$(cli_get_val "${1}")"
+ 
+@@ -110,9 +104,6 @@ hook_parse_cmdline() {
+ 					return ${EXIT_ERROR}
+ 				fi
+ 				;;
+-			--key=*)
+-				KEY=$(cli_get_val "${1}")
+-				;;
+ 			--mac=*)
+ 				ADDRESS=$(cli_get_val "${1}")
+ 				;;
+@@ -140,9 +131,18 @@ hook_parse_cmdline() {
+ 			--phy=*)
+ 				PHY=$(cli_get_val "${1}")
+ 				;;
++			--secret=*)
++				SECRET="$(cli_get_val "${1}")"
++				;;
+ 			--ssid=*)
+ 				SSID=$(cli_get_val "${1}")
+ 				;;
++			--wpa2-personal=*)
++				WPA2_PERSONAL="$(cli_get_bool "${1}")"
++				;;
++			--wpa3-personal=*)
++				WPA3_PERSONAL="$(cli_get_bool "${1}")"
++				;;
+ 			*)
+ 				warning "Ignoring unknown argument '${1}'"
+ 				;;
+@@ -174,6 +174,12 @@ hook_parse_cmdline() {
+ 		return ${EXIT_ERROR}
+ 	fi
+ 
++	# Check if SECRET is set when WPA* is enabled
++	if ! isset SECRET && (enabled WPA3_PERSONAL || enabled WPA2_PERSONAL); then
++		error "Secret is not set when PSK authentication is enabled"
++		return ${EXIT_ERROR}
++	fi
++
+ 	# Save address of phy do identify it again
+ 	PHY=$(phy_get ${PHY})
+ 	PHY=$(phy_get_address ${PHY})
+-- 
+2.39.2
+
diff --git a/network/patches/0042-hotplug-rename-Drop-unused-variable.patch b/network/patches/0042-hotplug-rename-Drop-unused-variable.patch
new file mode 100644
index 000000000..bbf85305c
--- /dev/null
+++ b/network/patches/0042-hotplug-rename-Drop-unused-variable.patch
@@ -0,0 +1,27 @@ 
+From 729cc3a2518ac4db00dd2ab390f7d253154f3333 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sat, 30 Mar 2019 16:19:24 +0100
+Subject: [PATCH 042/304] hotplug-rename: Drop unused variable
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/udev/network-hotplug-rename | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/src/udev/network-hotplug-rename b/src/udev/network-hotplug-rename
+index 903a07c..5f82f7c 100644
+--- a/src/udev/network-hotplug-rename
++++ b/src/udev/network-hotplug-rename
+@@ -28,9 +28,6 @@ LOG_DISABLE_STDOUT="true"
+ # Read network settings
+ network_settings_read
+ 
+-# Setup the locking
+-LOCKFILE="${LOCK_DIR}/.network-rename-lock"
+-
+ # Check if the INTERFACE variable is properly set.
+ assert isset INTERFACE
+ 
+-- 
+2.39.2
+
diff --git a/network/patches/0043-hostapd-Allow-WPA2-authentication-only-with-SHA256.patch b/network/patches/0043-hostapd-Allow-WPA2-authentication-only-with-SHA256.patch
new file mode 100644
index 000000000..166386eda
--- /dev/null
+++ b/network/patches/0043-hostapd-Allow-WPA2-authentication-only-with-SHA256.patch
@@ -0,0 +1,29 @@ 
+From 21ef3b742e6031cb40d0da94015aced31fc18be2 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sat, 30 Mar 2019 16:22:45 +0100
+Subject: [PATCH 043/304] hostapd: Allow WPA2 authentication only with SHA256
+
+This experimental change disables support for the legacy WPA2
+authentication that does not support SHA256.
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.hostapd | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/functions/functions.hostapd b/src/functions/functions.hostapd
+index 6c2fbd9..095beb8 100644
+--- a/src/functions/functions.hostapd
++++ b/src/functions/functions.hostapd
+@@ -424,7 +424,7 @@ hostapd_config_write() {
+ 		wpa="2"
+ 
+ 		# Add WPA key management
+-		list_append wpa_key_mgmt "WPA-PSK-SHA256" "WPA-PSK"
++		list_append wpa_key_mgmt "WPA-PSK-SHA256"
+ 		wpa_passphrase="${secret}"
+ 
+ 		# Enable WPA strict rekey
+-- 
+2.39.2
+
diff --git a/network/patches/0044-wireless-ap-Enable-802.11w-by-default.patch b/network/patches/0044-wireless-ap-Enable-802.11w-by-default.patch
new file mode 100644
index 000000000..fd371582c
--- /dev/null
+++ b/network/patches/0044-wireless-ap-Enable-802.11w-by-default.patch
@@ -0,0 +1,31 @@ 
+From 298a1ffe3f10ec14416c3aed19bb541553de160a Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sat, 30 Mar 2019 16:23:55 +0100
+Subject: [PATCH 044/304] wireless-ap: Enable 802.11w by default
+
+This causes some problems on broken Intel systems, but I
+guess it is better to prefer security than compatibility in the
+default settings.
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/hooks/ports/wireless-ap | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/hooks/ports/wireless-ap b/src/hooks/ports/wireless-ap
+index 7176ee5..9676369 100644
+--- a/src/hooks/ports/wireless-ap
++++ b/src/hooks/ports/wireless-ap
+@@ -50,8 +50,7 @@ DEFAULT_BROADCAST_SSID="on"
+ DEFAULT_DFS="on"
+ 
+ # 802.11w - Management Frame Protection
+-# Disable by default because many clients cannot connect when enabled
+-DEFAULT_MFP="off"
++DEFAULT_MFP="on"
+ 
+ DEFAULT_ENVIRONMENT="${WIRELESS_DEFAULT_ENVIRONMENT}"
+ 
+-- 
+2.39.2
+
diff --git a/network/patches/0045-hooks-Use-cli_get_bool-convenience-function-where-ev.patch b/network/patches/0045-hooks-Use-cli_get_bool-convenience-function-where-ev.patch
new file mode 100644
index 000000000..1b19ff1d9
--- /dev/null
+++ b/network/patches/0045-hooks-Use-cli_get_bool-convenience-function-where-ev.patch
@@ -0,0 +1,100 @@ 
+From f6659cc56ecdef375fb868a3a44ada37b4cbfc3c Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sat, 30 Mar 2019 16:30:05 +0100
+Subject: [PATCH 045/304] hooks: Use cli_get_bool convenience function where
+ ever possible
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/hooks/ports/bonding     | 11 +----------
+ src/hooks/ports/ethernet    | 11 +----------
+ src/hooks/ports/wireless-ap | 22 ++--------------------
+ 3 files changed, 4 insertions(+), 40 deletions(-)
+
+diff --git a/src/hooks/ports/bonding b/src/hooks/ports/bonding
+index a0cf5c0..96cb854 100644
+--- a/src/hooks/ports/bonding
++++ b/src/hooks/ports/bonding
+@@ -59,16 +59,7 @@ hook_parse_cmdline() {
+ 				MODE=$(cli_get_val "${1}")
+ 				;;
+ 			--offloading=*)
+-				OFFLOADING="$(cli_get_val "${1}")"
+-
+-				if enabled OFFLOADING; then
+-					OFFLOADING="on"
+-				elif disabled OFFLOADING; then
+-					OFFLOADING="off"
+-				else
+-					error "Invalid value for offloading: ${OFFLOADING}"
+-					return ${EXIT_ERROR}
+-				fi
++				OFFLOADING="$(cli_get_bool "${1}")"
+ 				;;
+ 			+*)
+ 				local slave=$(cli_get_val "${1:1}")
+diff --git a/src/hooks/ports/ethernet b/src/hooks/ports/ethernet
+index 82664fa..80b5503 100644
+--- a/src/hooks/ports/ethernet
++++ b/src/hooks/ports/ethernet
+@@ -85,16 +85,7 @@ hook_parse_cmdline() {
+ 				;;
+ 
+ 			--offloading=*)
+-				OFFLOADING="$(cli_get_val "${1}")"
+-
+-				if enabled OFFLOADING; then
+-					OFFLOADING="on"
+-				elif disabled OFFLOADING; then
+-					OFFLOADING="off"
+-				else
+-					error "Invalid value for offloading: ${OFFLOADING}"
+-					return ${EXIT_ERROR}
+-				fi
++				OFFLOADING="$(cli_get_bool "${1}")"
+ 				;;
+ 
+ 			*)
+diff --git a/src/hooks/ports/wireless-ap b/src/hooks/ports/wireless-ap
+index 9676369..2528585 100644
+--- a/src/hooks/ports/wireless-ap
++++ b/src/hooks/ports/wireless-ap
+@@ -84,16 +84,7 @@ hook_parse_cmdline() {
+ 				CHANNEL_BANDWIDTH="$(cli_get_val "${1}")"
+ 				;;
+ 			--dfs=*)
+-				DFS="$(cli_get_val "${1}")"
+-
+-				if enabled DFS; then
+-					DFS="on"
+-				elif disabled DFS; then
+-					DFS="off"
+-				else
+-					error "Invalid value for DFS: ${DFS}"
+-					return ${EXIT_ERROR}
+-				fi
++				DFS="$(cli_get_bool "${1}")"
+ 				;;
+ 			--environment=*)
+ 				ENVIRONMENT="$(cli_get_val "${1}")"
+@@ -107,16 +98,7 @@ hook_parse_cmdline() {
+ 				ADDRESS=$(cli_get_val "${1}")
+ 				;;
+ 			--mfp=*)
+-				MFP="$(cli_get_val "${1}")"
+-
+-				if enabled MFP; then
+-					MFP="on"
+-				elif disabled MFP; then
+-					MFP="off"
+-				else
+-					error "Invalid value for --mfp: ${MFP}"
+-					return ${EXIT_ERROR}
+-				fi
++				MFP="$(cli_get_bool "${1}")"
+ 				;;
+ 			--mode=*)
+ 				MODE=$(cli_get_val "${1}")
+-- 
+2.39.2
+
diff --git a/network/patches/0046-hook-Rename-HOOK_CONFIG_SETTINGS-to-HOOK_SETTINGS.patch b/network/patches/0046-hook-Rename-HOOK_CONFIG_SETTINGS-to-HOOK_SETTINGS.patch
new file mode 100644
index 000000000..29b8c1a55
--- /dev/null
+++ b/network/patches/0046-hook-Rename-HOOK_CONFIG_SETTINGS-to-HOOK_SETTINGS.patch
@@ -0,0 +1,196 @@ 
+From 636f1b96fc0b60c47cf5636f95b1ee6c856a701c Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sat, 30 Mar 2019 16:54:04 +0100
+Subject: [PATCH 046/304] hook: Rename HOOK_CONFIG_SETTINGS to HOOK_SETTINGS
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.zone   |  8 ++++----
+ src/header-config              |  5 ++++-
+ src/hooks/configs/dhcp         | 13 +++++++++----
+ src/hooks/configs/ipv6-auto    | 15 +++++----------
+ src/hooks/configs/pppoe-server | 24 +++++++++---------------
+ src/hooks/configs/static       |  6 +++++-
+ 6 files changed, 36 insertions(+), 35 deletions(-)
+
+diff --git a/src/functions/functions.zone b/src/functions/functions.zone
+index e81371b..28fbecd 100644
+--- a/src/functions/functions.zone
++++ b/src/functions/functions.zone
+@@ -1312,8 +1312,8 @@ zone_config_settings_read() {
+ 	shift 2
+ 
+ 	local args
+-	if [ $# -eq 0 ] && [ -n "${HOOK_CONFIG_SETTINGS}" ]; then
+-		list_append args ${HOOK_CONFIG_SETTINGS}
++	if [ $# -eq 0 ] && [ -n "${HOOK_SETTINGS[*]}" ]; then
++		list_append args ${HOOK_SETTINGS[*]}
+ 	else
+ 		list_append args "$@"
+ 	fi
+@@ -1323,7 +1323,7 @@ zone_config_settings_read() {
+ }
+ 
+ zone_config_settings_write() {
+-	assert [ $# -eq 2 ]
++	assert [ $# -eq 3 ]
+ 
+ 	local zone="${1}"
+ 	local hook="${2}"
+@@ -1333,7 +1333,7 @@ zone_config_settings_write() {
+ 
+ 	local path="${NETWORK_ZONES_DIR}/${zone}/configs/${hook}.${id}"
+ 	settings_write "${path}" \
+-		--check="hook_check_config_settings" ${HOOK_CONFIG_SETTINGS[*]}
++		--check="hook_check_config_settings" HOOK ${HOOK_SETTINGS[*]}
+ }
+ 
+ zone_config_settings_destroy() {
+diff --git a/src/header-config b/src/header-config
+index 4458eaa..baeca5e 100644
+--- a/src/header-config
++++ b/src/header-config
+@@ -26,6 +26,9 @@ hook_new() {
+ 	local id=$(zone_config_get_new_id ${zone})
+ 	log DEBUG "ID for the config is: ${id}"
+ 
++	# Import all default variables
++	hook_set_defaults
++
+ 	# Parse command line arguments
+ 	if ! hook_parse_cmdline "${id}" "$@"; then
+ 		# Return an error if the parsing of the cmd line fails
+@@ -64,7 +67,7 @@ hook_edit() {
+ 		fi
+ 	fi
+ 
+-	local ${HOOK_CONFIG_SETTINGS}
++	local ${HOOK_SETTINGS}
+ 
+ 	# If reading the config fails we cannot go on
+ 	if ! zone_config_settings_read "${zone}" "${config}"; then
+diff --git a/src/hooks/configs/dhcp b/src/hooks/configs/dhcp
+index b643022..1ad0694 100644
+--- a/src/hooks/configs/dhcp
++++ b/src/hooks/configs/dhcp
+@@ -21,11 +21,13 @@
+ 
+ . /usr/lib/network/header-config
+ 
+-HOOK_CONFIG_SETTINGS="HOOK ENABLE_IPV6 ENABLE_IPV4"
++HOOK_SETTINGS=(
++	"ENABLE_IPV6"
++	"ENABLE_IPV4"
++)
+ 
+-# Default settings.
+-ENABLE_IPV6="on"
+-ENABLE_IPV4="on"
++DEFAULT_ENABLE_IPV6="on"
++DEFAULT_ENABLE_IPV4="on"
+ 
+ hook_check_config_settings() {
+ 	assert isset ENABLE_IPV6
+@@ -78,6 +80,9 @@ hook_new() {
+ 	local id=$(zone_config_get_new_id ${zone})
+ 	log DEBUG "ID for the config is: ${id}"
+ 
++	# Import defaults
++	hook_set_defaults
++
+ 	if ! hook_parse_cmdline "${id}" "$@"; then
+ 		# Return an error if the parsing of the cmd line fails
+ 		return ${EXIT_ERROR}
+diff --git a/src/hooks/configs/ipv6-auto b/src/hooks/configs/ipv6-auto
+index 8796723..6fd90a5 100644
+--- a/src/hooks/configs/ipv6-auto
++++ b/src/hooks/configs/ipv6-auto
+@@ -21,10 +21,12 @@
+ 
+ . /usr/lib/network/header-config
+ 
+-HOOK_CONFIG_SETTINGS="HOOK PRIVACY_EXTENSIONS"
++HOOK_SETTINGS=(
++	"PRIVACY_EXTENSIONS"
++)
+ 
+ # Privacy Extensions are disabled by default
+-PRIVACY_EXTENSIONS="off"
++DEFAULT_PRIVACY_EXTENSIONS="off"
+ 
+ hook_check_config_settings() {
+ 	assert isbool PRIVACY_EXTENSIONS
+@@ -35,17 +37,10 @@ hook_parse_cmdline() {
+ 	shift
+ 
+ 	local arg
+-
+ 	while read arg; do
+ 		case "${arg}" in
+ 			--privacy-extensions=*)
+-				local val="$(cli_get_val "${arg}")"
+-
+-				if enabled val; then
+-					PRIVACY_EXTENSIONS="on"
+-				else
+-					PRIVACY_EXTENSIONS="off"
+-				fi
++				PRIVACY_EXTENSIONS="$(cli_get_bool "${arg}")"
+ 				;;
+ 		esac
+ 	done <<< "$(args "$@")"
+diff --git a/src/hooks/configs/pppoe-server b/src/hooks/configs/pppoe-server
+index 6a2c014..4d79549 100644
+--- a/src/hooks/configs/pppoe-server
++++ b/src/hooks/configs/pppoe-server
+@@ -21,21 +21,15 @@
+ 
+ . /usr/lib/network/header-config
+ 
+-HOOK_CONFIG_SETTINGS="HOOK DNS_SERVERS MTU SERVICE_NAME SUBNET MAX_SESSIONS"
+-
+-# Maximum Transmission Unit.
+-MTU=1492
+-
+-# Service Name.
+-SERVICE_NAME=
+-
+-# A subnet. Addresses from this subnet will be given to the remote hosts.
+-# The net address will be the gateway address for the PPPoE server.
+-SUBNET=
+-
+-# Defines the max. number of sessions per MAC address.
+-# 0 = unlimited.
+-MAX_SESSIONS=0
++HOOK_SETTINGS=(
++	"DNS_SERVERS"
++	"MTU"
++	"SERVICE_NAME"
++	"SUBNET MAX_SESSIONS"
++)
++
++DEFAULT_MTU=1492
++DEFAULT_MAX_SESSIONS=0
+ 
+ hook_check_config_settings() {
+ 	assert isset MTU
+diff --git a/src/hooks/configs/static b/src/hooks/configs/static
+index 23ae2d8..6fddc32 100644
+--- a/src/hooks/configs/static
++++ b/src/hooks/configs/static
+@@ -21,7 +21,11 @@
+ 
+ . /usr/lib/network/header-config
+ 
+-HOOK_CONFIG_SETTINGS="HOOK ADDRESS PREFIX GATEWAY"
++HOOK_SETTINGS=(
++	"ADDRESS"
++	"PREFIX"
++	"GATEWAY"
++)
+ 
+ hook_check_config_settings() {
+ 	local protocol="$(ip_detect_protocol "${ADDRESS}")"
+-- 
+2.39.2
+
diff --git a/network/patches/0047-dhcp-Rename-enabled-from-configuration-parameters.patch b/network/patches/0047-dhcp-Rename-enabled-from-configuration-parameters.patch
new file mode 100644
index 000000000..a7bf304c6
--- /dev/null
+++ b/network/patches/0047-dhcp-Rename-enabled-from-configuration-parameters.patch
@@ -0,0 +1,99 @@ 
+From 8ece5c30bf5917d4cd6dfb460207d1e85eb5df73 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sat, 30 Mar 2019 16:57:31 +0100
+Subject: [PATCH 047/304] dhcp: Rename "enabled" from configuration parameters
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/hooks/configs/dhcp | 38 +++++++++++++++-----------------------
+ 1 file changed, 15 insertions(+), 23 deletions(-)
+
+diff --git a/src/hooks/configs/dhcp b/src/hooks/configs/dhcp
+index 1ad0694..1c75193 100644
+--- a/src/hooks/configs/dhcp
++++ b/src/hooks/configs/dhcp
+@@ -22,18 +22,16 @@
+ . /usr/lib/network/header-config
+ 
+ HOOK_SETTINGS=(
+-	"ENABLE_IPV6"
+-	"ENABLE_IPV4"
++	"IPV6"
++	"IPV4"
+ )
+ 
+-DEFAULT_ENABLE_IPV6="on"
+-DEFAULT_ENABLE_IPV4="on"
++DEFAULT_IPV6="on"
++DEFAULT_IPV4="on"
+ 
+ hook_check_config_settings() {
+-	assert isset ENABLE_IPV6
+-	assert isbool ENABLE_IPV6
+-	assert isset ENABLE_IPV4
+-	assert isbool ENABLE_IPV4
++	assert isbool IPV6
++	assert isbool IPV4
+ }
+ 
+ hook_parse_cmdline() {
+@@ -42,17 +40,11 @@ hook_parse_cmdline() {
+ 
+ 	while [ $# -gt 0 ]; do
+ 		case "${1}" in
+-			--enable-ipv6)
+-				ENABLE_IPV6="on"
++			--ipv6)
++				IPV6="$(cli_get_bool "${1}")"
+ 				;;
+-			--disable-ipv6)
+-				ENABLE_IPV6="off"
+-				;;
+-			--enable-ipv4)
+-				ENABLE_IPV4="on"
+-				;;
+-			--disable-ipv4)
+-				ENABLE_IPV4="off"
++			--ipv4)
++				IPV4="$(cli_get_bool "${1}")"
+ 				;;
+ 			*)
+ 				warning "Ignoring unknown option '${1}'"
+@@ -62,8 +54,8 @@ hook_parse_cmdline() {
+ 	done
+ 
+ 	# Check if the user disabled ipv6 and ipv4
+-	if ! enabled ENABLE_IPV6 && ! enabled ENABLE_IPV4; then
+-		log ERROR "You disabled IPv6 and IPv4. At least one must be enabled"
++	if ! enabled IPV6 && ! enabled IPV4; then
++		error "You disabled IPv6 and IPv4. At least one must be enabled"
+ 		return ${EXIT_ERROR}
+ 	fi
+ }
+@@ -106,12 +98,12 @@ hook_up() {
+ 	zone_config_settings_read "${zone}" "${config}"
+ 
+ 	# Start dhclient for IPv6 on this zone if enabled.
+-	if enabled ENABLE_IPV6; then
++	if enabled IPV6; then
+ 		dhclient_start ${zone} ipv6
+ 	fi
+ 
+ 	# Start dhclient for IPv4 on this zone if enabled.
+-	if enabled ENABLE_IPV4; then
++	if enabled IPV4; then
+ 		dhclient_start ${zone} ipv4
+ 	fi
+ 
+@@ -165,7 +157,7 @@ hook_status() {
+ 
+ 		cli_print_fmt1 3 "${proto}"
+ 
+-		if enabled ENABLE_${proto^^}; then
++		if enabled "${proto^^}"; then
+ 			cli_print_fmt1 4 "Status" "enabled"
+ 
+ 			local address="$(db_get "${zone}/${_proto}/local-ip-address")"
+-- 
+2.39.2
+
diff --git a/network/patches/0048-dhcp-Fix-syntax-error-in-last-commit.patch b/network/patches/0048-dhcp-Fix-syntax-error-in-last-commit.patch
new file mode 100644
index 000000000..1f085d2ed
--- /dev/null
+++ b/network/patches/0048-dhcp-Fix-syntax-error-in-last-commit.patch
@@ -0,0 +1,30 @@ 
+From e80eb68607dbdad381e3bb113521609c44fa8cd6 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sat, 30 Mar 2019 17:05:44 +0100
+Subject: [PATCH 048/304] dhcp: Fix syntax error in last commit
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/hooks/configs/dhcp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/hooks/configs/dhcp b/src/hooks/configs/dhcp
+index 1c75193..ba5608a 100644
+--- a/src/hooks/configs/dhcp
++++ b/src/hooks/configs/dhcp
+@@ -40,10 +40,10 @@ hook_parse_cmdline() {
+ 
+ 	while [ $# -gt 0 ]; do
+ 		case "${1}" in
+-			--ipv6)
++			--ipv6=*)
+ 				IPV6="$(cli_get_bool "${1}")"
+ 				;;
+-			--ipv4)
++			--ipv4=*)
+ 				IPV4="$(cli_get_bool "${1}")"
+ 				;;
+ 			*)
+-- 
+2.39.2
+
diff --git a/network/patches/0049-hooks-Add-HOOK_UNIQUE-which-stops-us-from-creating-m.patch b/network/patches/0049-hooks-Add-HOOK_UNIQUE-which-stops-us-from-creating-m.patch
new file mode 100644
index 000000000..d790e6c64
--- /dev/null
+++ b/network/patches/0049-hooks-Add-HOOK_UNIQUE-which-stops-us-from-creating-m.patch
@@ -0,0 +1,158 @@ 
+From fdd9ac5fdd66b6cbdf014554281a9bb11ed0379d Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sat, 30 Mar 2019 17:05:58 +0100
+Subject: [PATCH 049/304] hooks: Add HOOK_UNIQUE which stops us from creating
+ multiple instances
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/header-config              |  9 +++++++++
+ src/hooks/configs/dhcp         | 25 -------------------------
+ src/hooks/configs/ipv6-auto    | 22 ----------------------
+ src/hooks/configs/pppoe-server | 22 ----------------------
+ src/hooks/configs/static       |  3 +++
+ 5 files changed, 12 insertions(+), 69 deletions(-)
+
+diff --git a/src/header-config b/src/header-config
+index baeca5e..c6a775c 100644
+--- a/src/header-config
++++ b/src/header-config
+@@ -19,10 +19,19 @@
+ #                                                                             #
+ ###############################################################################
+ 
++# Allow only one instance of this hook
++HOOK_UNIQUE="true"
++
+ hook_new() {
+ 	local zone="${1}"
+ 	shift
+ 
++	# Check if we are allowed to have multiple configurations of $HOOK
++	if enabled HOOK_UNIQUE && zone_config_hook_is_configured "${zone}" "${HOOK}"; then
++		error "You can only have one configuration of type ${HOOK}"
++		return ${EXIT_CONF_ERROR}
++	fi
++
+ 	local id=$(zone_config_get_new_id ${zone})
+ 	log DEBUG "ID for the config is: ${id}"
+ 
+diff --git a/src/hooks/configs/dhcp b/src/hooks/configs/dhcp
+index ba5608a..127ce59 100644
+--- a/src/hooks/configs/dhcp
++++ b/src/hooks/configs/dhcp
+@@ -60,31 +60,6 @@ hook_parse_cmdline() {
+ 	fi
+ }
+ 
+-hook_new() {
+-	local zone="${1}"
+-	shift
+-
+-	if zone_config_hook_is_configured ${zone} "dhcp"; then
+-		log ERROR "You can configure the dhcp hook only once for a zone"
+-		return ${EXIT_ERROR}
+-	fi
+-
+-	local id=$(zone_config_get_new_id ${zone})
+-	log DEBUG "ID for the config is: ${id}"
+-
+-	# Import defaults
+-	hook_set_defaults
+-
+-	if ! hook_parse_cmdline "${id}" "$@"; then
+-		# Return an error if the parsing of the cmd line fails
+-		return ${EXIT_ERROR}
+-	fi
+-
+-	zone_config_settings_write "${zone}" "${HOOK}" "${id}"
+-
+-	exit ${EXIT_OK}
+-}
+-
+ hook_up() {
+ 	local zone=${1}
+ 	local config=${2}
+diff --git a/src/hooks/configs/ipv6-auto b/src/hooks/configs/ipv6-auto
+index 6fd90a5..ecfafcd 100644
+--- a/src/hooks/configs/ipv6-auto
++++ b/src/hooks/configs/ipv6-auto
+@@ -46,28 +46,6 @@ hook_parse_cmdline() {
+ 	done <<< "$(args "$@")"
+ }
+ 
+-hook_new() {
+-	local zone="${1}"
+-	shift
+-
+-	if zone_config_hook_is_configured ${zone} "ipv6-auto"; then
+-		log ERROR "You can configure the ipv6-auto hook only once for a zone"
+-		return ${EXIT_ERROR}
+-	fi
+-
+-	local id=$(zone_config_get_new_id ${zone})
+-	log DEBUG "ID for the config is: ${id}"
+-
+-	if ! hook_parse_cmdline "${id}" "$@"; then
+-		# Return an error if the parsing of the cmd line fails
+-		return ${EXIT_ERROR}
+-	fi
+-
+-	zone_config_settings_write "${zone}" "${HOOK}" "${id}"
+-
+-	exit ${EXIT_OK}
+-}
+-
+ hook_up() {
+ 	local zone=${1}
+ 	shift
+diff --git a/src/hooks/configs/pppoe-server b/src/hooks/configs/pppoe-server
+index 4d79549..e800bf4 100644
+--- a/src/hooks/configs/pppoe-server
++++ b/src/hooks/configs/pppoe-server
+@@ -93,28 +93,6 @@ hook_parse_cmdline() {
+ 	done
+ }
+ 
+-hook_new() {
+-	local zone=${1}
+-	shift
+-
+-	if zone_config_hook_is_configured ${zone} "pppoe-server"; then
+-		log ERROR "You can configure the pppoe-server hook only once for a zone"
+-		return ${EXIT_ERROR}
+-	fi
+-
+-	local id=$(zone_config_get_new_id ${zone})
+-	log DEBUG "ID for the config is: ${id}"
+-
+-	if ! hook_parse_cmdline "${id}" "$@"; then
+-		# Return an error if the parsing of the cmd line fails
+-		return ${EXIT_ERROR}
+-	fi
+-
+-	zone_config_settings_write "${zone}" "${HOOK}" "${id}"
+-
+-	exit ${EXIT_OK}
+-}
+-
+ hook_up() {
+ 	local zone=${1}
+ 	local config=${2}
+diff --git a/src/hooks/configs/static b/src/hooks/configs/static
+index 6fddc32..046183a 100644
+--- a/src/hooks/configs/static
++++ b/src/hooks/configs/static
+@@ -21,6 +21,9 @@
+ 
+ . /usr/lib/network/header-config
+ 
++# Allow multiple instances of this hook
++HOOK_UNIQUE="false"
++
+ HOOK_SETTINGS=(
+ 	"ADDRESS"
+ 	"PREFIX"
+-- 
+2.39.2
+
diff --git a/network/patches/0050-wireless-ap-Check-that-secret-has-the-correct-length.patch b/network/patches/0050-wireless-ap-Check-that-secret-has-the-correct-length.patch
new file mode 100644
index 000000000..00e9e26ba
--- /dev/null
+++ b/network/patches/0050-wireless-ap-Check-that-secret-has-the-correct-length.patch
@@ -0,0 +1,105 @@ 
+From d695b280e9972311ae8c4bc688c0898ade1281e6 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sat, 30 Mar 2019 18:14:07 +0100
+Subject: [PATCH 050/304] wireless-ap: Check that secret has the correct length
+ and no invalid characters
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.util     | 13 +++++++++++++
+ src/functions/functions.wireless | 23 +++++++++++------------
+ src/hooks/ports/wireless-ap      | 14 +++++++++++---
+ 3 files changed, 35 insertions(+), 15 deletions(-)
+
+diff --git a/src/functions/functions.util b/src/functions/functions.util
+index 4c1dbb4..7379a98 100644
+--- a/src/functions/functions.util
++++ b/src/functions/functions.util
+@@ -745,6 +745,19 @@ contains_spaces() {
+ 	return ${EXIT_FALSE}
+ }
+ 
++contains_non_ascii_characters() {
++	local value="$@"
++
++	# Strip away all ASCII characters
++	local non_ascii="${value//[[:ascii:]]/}"
++
++	if isset non_ascii; then
++		return ${EXIT_TRUE}
++	fi
++
++	return ${EXIT_FALSE}
++}
++
+ string_match() {
+ 	local match=${1}
+ 	local string=${2}
+diff --git a/src/functions/functions.wireless b/src/functions/functions.wireless
+index 12204c0..733a356 100644
+--- a/src/functions/functions.wireless
++++ b/src/functions/functions.wireless
+@@ -397,24 +397,23 @@ wireless_set_channel() {
+ }
+ 
+ wireless_pre_shared_key_is_valid() {
+-	local encryption_mode="${1}"
+-	local psk="${2}"
++	local psk="${1}"
+ 
+ 	# Length of the PSK
+ 	local l="${#psk}"
+ 
+-	case "${encryption_mode}" in
+-		# For WPA*, the key must be between 8 and 63 chars
+-		WPA2-PSK|WPA2-PSK-SHA256|WPA-PSK|WPA-PSK-SHA256)
+-			if [ ${l} -ge 8 ] && [ ${l} -le 63 ]; then
+-				return ${EXIT_TRUE}
+-			fi
++	# For WPA*, the key must be between 8 and 63 chars
++	if [ ${l} -lt 8 ] || [ ${l} -gt 63 ]; then
++		return ${EXIT_FALSE}
++	fi
+ 
+-			return ${EXIT_FALSE}
+-			;;
+-	esac
++	# Can only contain ASCII chararcters
++	if contains_non_ascii_characters "${psk}"; then
++		return ${EXIT_FALSE}
++	fi
+ 
+-	return ${EXIT_ERROR}
++	# Seems OK
++	return ${EXIT_TRUE}
+ }
+ 
+ wireless_client_is_connected() {
+diff --git a/src/hooks/ports/wireless-ap b/src/hooks/ports/wireless-ap
+index 2528585..26e14d6 100644
+--- a/src/hooks/ports/wireless-ap
++++ b/src/hooks/ports/wireless-ap
+@@ -156,9 +156,17 @@ hook_parse_cmdline() {
+ 	fi
+ 
+ 	# Check if SECRET is set when WPA* is enabled
+-	if ! isset SECRET && (enabled WPA3_PERSONAL || enabled WPA2_PERSONAL); then
+-		error "Secret is not set when PSK authentication is enabled"
+-		return ${EXIT_ERROR}
++	if enabled WPA3_PERSONAL || enabled WPA2_PERSONAL; then
++		if ! isset SECRET; then
++			error "Secret is not set when PSK authentication is enabled"
++			return ${EXIT_ERROR}
++		fi
++
++		# Check if SECRET is valid
++		if ! wireless_pre_shared_key_is_valid "${SECRET}"; then
++			error "The secret is in an invalid format"
++			return ${EXIT_ERROR}
++		fi
+ 	fi
+ 
+ 	# Save address of phy do identify it again
+-- 
+2.39.2
+
diff --git a/network/patches/0051-Drop-old-locking-functions.patch b/network/patches/0051-Drop-old-locking-functions.patch
new file mode 100644
index 000000000..4a0ee12cc
--- /dev/null
+++ b/network/patches/0051-Drop-old-locking-functions.patch
@@ -0,0 +1,235 @@ 
+From d4564f2b7efa20ea025b6918b012656927fd342a Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sat, 30 Mar 2019 18:51:13 +0100
+Subject: [PATCH 051/304] Drop old locking functions
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.device   | 12 ++----
+ src/functions/functions.editor   | 51 +++++++++--------------
+ src/functions/functions.firewall |  3 +-
+ src/functions/functions.lock     | 70 --------------------------------
+ 4 files changed, 26 insertions(+), 110 deletions(-)
+
+diff --git a/src/functions/functions.device b/src/functions/functions.device
+index 48f2440..f52eee5 100644
+--- a/src/functions/functions.device
++++ b/src/functions/functions.device
+@@ -997,15 +997,11 @@ device_get_link_string() {
+ }
+ 
+ device_auto_configure_smp_affinity() {
+-	assert [ $# -eq 1 ]
+-
+-	local device=${1}
+-
+-	if lock_acquire "smp-affinity" 60; then
+-		device_set_smp_affinity ${device} auto
++	local device="${1}"
++	assert isset device
+ 
+-		lock_release "smp-affinity"
+-	fi
++	lock "smp-affinity" \
++		device_set_smp_affinity "${device}" "auto"
+ }
+ 
+ device_set_smp_affinity() {
+diff --git a/src/functions/functions.editor b/src/functions/functions.editor
+index 6edac62..8f0cc0b 100644
+--- a/src/functions/functions.editor
++++ b/src/functions/functions.editor
+@@ -19,17 +19,6 @@
+ #                                                                             #
+ ###############################################################################
+ 
+-editor_cleanup() {
+-	# Cleanup after a file was edited
+-	assert [ $# -eq 2 ]
+-
+-	local file=${1}
+-	local temp_file=${2}
+-
+-	lock_release "${file}.lock"
+-	rm -f ${temp_file}
+-}
+-
+ editor_find_best() {
+ 	# Open a file with the best available editor
+ 	assert [ $# -eq 1 ]
+@@ -62,31 +51,26 @@ editor_find_best() {
+ }
+ 
+ editor() {
+-	# This function open a file for editing and take care of all preperation and postprocessing
+-	assert [ $# -ge 1 ]
++	local file="${1}"
++	assert isset file
+ 
+-	local file=${1}
+ 	if [ ! -f ${file} ] || [ ! -w ${file} ]; then
+ 		error "${file} is not valid file or is not writeable"
+ 		return ${EXIT_ERROR}
+ 	fi
+ 
+-	local check_func=${2}
++	lock "${file}.lock" __editor "$@"
++}
+ 
+-	# check if the file is locked
+-	if lock_exists "${file}.lock"; then
+-		error "Cannot edit ${file} because it is locked"
+-		return ${EXIT_ERROR}
+-	fi
++__editor() {
++	# This function open a file for editing and take care of all preperation and postprocessing
++	assert [ $# -ge 1 ]
+ 
+-	# lock the file
+-	if ! lock_acquire "${file}.lock"; then
+-		error "Cannot lock file ${file}"
+-		return ${EXIT_ERROR}
+-	fi
++	local file="${1}"
++	local check_func="${2}"
+ 
+ 	# create a temporary file
+-	local temp_file=$(mktemp)
++	local temp_file="$(mktemp)"
+ 
+ 	if ! [ -f "${temp_file}" ]; then
+ 		error "Cannot create temporary file"
+@@ -98,21 +82,26 @@ editor() {
+ 	# edit the file
+ 	if ! editor_find_best "${temp_file}"; then
+ 		error "Could not edit ${file}"
+-		# cleanup
+-		editor_cleanup "${file}" "${temp_file}"
++
++		# Delete temporary file
++		file_delete "${temp_file}"
++
++		return ${EXIT_ERROR}
+ 	fi
+ 
+ 	# run the check if we have one
+ 	if isset check_func && ! editor_check "${check_func}" "${temp_file}"; then
++		# Delete temporary file
++		file_delete "${temp_file}"
++
+ 		return ${EXIT_ERROR}
+ 	fi
+ 
+ 	# copy the changes back
+ 	cp -f "${temp_file}" "${file}"
+ 
+-	# cleanup
+-	editor_cleanup "${file}" "${temp_file}"
+-
++	# Delete temporary file
++	file_delete "${temp_file}"
+ }
+ 
+ editor_check() {
+diff --git a/src/functions/functions.firewall b/src/functions/functions.firewall
+index 347916e..e22576b 100644
+--- a/src/functions/functions.firewall
++++ b/src/functions/functions.firewall
+@@ -269,7 +269,8 @@ firewall_panic() {
+ }
+ 
+ firewall_lock_acquire() {
+-	lock_acquire ${RUN_DIR}/.firewall_lock
++	# XXX DEPRECATED
++	#lock_acquire ${RUN_DIR}/.firewall_lock
+ 
+ 	# Make sure the lock is released after the firewall
+ 	# script has crashed or exited early.
+diff --git a/src/functions/functions.lock b/src/functions/functions.lock
+index 6295a22..fd15e5e 100644
+--- a/src/functions/functions.lock
++++ b/src/functions/functions.lock
+@@ -19,16 +19,6 @@
+ #                                                                             #
+ ###############################################################################
+ 
+-__lock_path() {
+-	local name=${1}
+-
+-	if [ "${name:0:1}" = "/" ]; then
+-		echo "${name}"
+-	else
+-		echo "${LOCK_DIR}/network-${name}"
+-	fi
+-}
+-
+ lock() {
+ 	local lock="${1}"
+ 	shift
+@@ -65,63 +55,3 @@ lock() {
+ 		exit ${ret}
+ 	) 9>${lock} || exit $?
+ }
+-
+-lock_exists() {
+-	local name=${1}
+-	assert isset name
+-
+-	local lockfile=$(__lock_path ${name})
+-
+-	if [ -e "${lockfile}" ]; then
+-		return ${EXIT_TRUE}
+-	else
+-		return ${EXIT_FALSE}
+-	fi
+-}
+-
+-lock_acquire() {
+-	local name=${1}
+-	assert isset name
+-
+-	# timeout value in seconds
+-	local timeout=${2}
+-
+-	if ! isset timeout; then
+-		timeout=0
+-	fi
+-
+-	local lockfile=$(__lock_path ${name})
+-
+-	timeout=$(( ${timeout} * 4 ))
+-
+-	log DEBUG "Acquiring lock '${name}'"
+-
+-	# Wait until lock is available
+-	while [ ${timeout} -gt 0 ] && [ -e "${lockfile}" ]; do
+-		timeout=$(( ${timeout} - 1 ))
+-		sleep 0.25
+-	done
+-
+-	# If another lock still exists, we return an error
+-	if [ -e "${lockfile}" ]; then
+-		error "Could not acquire lock '${name}'"
+-		return ${EXIT_ERROR}
+-	fi
+-
+-	# Write out pid to the lockfile and make sure that
+-	# nobody else can access it.
+-	echo "$$" > ${lockfile}
+-	chmod 600 ${lockfile}
+-}
+-
+-lock_release() {
+-	local name=${1}
+-	assert isset name
+-
+-	local lockfile=$(__lock_path ${name})
+-
+-	log DEBUG "Releasing lock '${name}'"
+-
+-	# Remove the lockfile (okay if it does not exist).
+-	rm -f ${lockfile}
+-}
+-- 
+2.39.2
+
diff --git a/network/patches/0052-ip-tunnel-Enable-support-for-6in4-tunnels.patch b/network/patches/0052-ip-tunnel-Enable-support-for-6in4-tunnels.patch
new file mode 100644
index 000000000..403991b84
--- /dev/null
+++ b/network/patches/0052-ip-tunnel-Enable-support-for-6in4-tunnels.patch
@@ -0,0 +1,26 @@ 
+From 55dcff454fa68dc2ff82f3dfbbafd75d3799b0ae Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sat, 30 Mar 2019 18:56:04 +0100
+Subject: [PATCH 052/304] ip-tunnel: Enable support for 6in4 tunnels
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/hooks/zones/ip-tunnel | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/hooks/zones/ip-tunnel b/src/hooks/zones/ip-tunnel
+index 634154e..c4a4fb4 100644
+--- a/src/hooks/zones/ip-tunnel
++++ b/src/hooks/zones/ip-tunnel
+@@ -21,7 +21,7 @@
+ 
+ . /usr/lib/network/header-zone
+ 
+-SUPPORTED_IP_TUNNEL_MODES="gre vti"
++SUPPORTED_IP_TUNNEL_MODES="gre sit vti"
+ 
+ HOOK_SETTINGS=(
+ 	"MARK"
+-- 
+2.39.2
+
diff --git a/network/patches/0053-lock-Cleanup-lock-files.patch b/network/patches/0053-lock-Cleanup-lock-files.patch
new file mode 100644
index 000000000..44176d537
--- /dev/null
+++ b/network/patches/0053-lock-Cleanup-lock-files.patch
@@ -0,0 +1,37 @@ 
+From 1ed79f5432d0bd4c4f0c8f8692b488c268e379a4 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sat, 30 Mar 2019 19:03:24 +0100
+Subject: [PATCH 053/304] lock: Cleanup lock files
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.lock | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/functions/functions.lock b/src/functions/functions.lock
+index fd15e5e..c01fcf3 100644
+--- a/src/functions/functions.lock
++++ b/src/functions/functions.lock
+@@ -29,6 +29,7 @@ lock() {
+ 	fi
+ 
+ 	local timeout="60"
++	local ret=0
+ 
+ 	# Make partent directory
+ 	make_parent_directory "${lock}"
+@@ -53,5 +54,10 @@ lock() {
+ 		log DEBUG "Released lock ${lock}"
+ 
+ 		exit ${ret}
+-	) 9>${lock} || exit $?
++	) 9>${lock} || ret=$?
++
++	# Cleanup log file
++	file_delete "${lock}"
++
++	return ${ret}
+ }
+-- 
+2.39.2
+
diff --git a/network/patches/0054-hostapd-Require-MFP-for-SAE-when-it-is-enabled.patch b/network/patches/0054-hostapd-Require-MFP-for-SAE-when-it-is-enabled.patch
new file mode 100644
index 000000000..2b20f4cbd
--- /dev/null
+++ b/network/patches/0054-hostapd-Require-MFP-for-SAE-when-it-is-enabled.patch
@@ -0,0 +1,45 @@ 
+From 1ef692c599a77fcb0683e3196b8f4b56f52644da Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 31 Mar 2019 13:10:30 +0200
+Subject: [PATCH 054/304] hostapd: Require MFP for SAE when it is enabled
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.hostapd | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/functions/functions.hostapd b/src/functions/functions.hostapd
+index 095beb8..410e6e5 100644
+--- a/src/functions/functions.hostapd
++++ b/src/functions/functions.hostapd
+@@ -407,6 +407,7 @@ hostapd_config_write() {
+ 	local wpa_passphrase
+ 	local sae_password
+ 	local wpa_strict_rekey
++	local sae_require_mfp
+ 
+ 	# WPA3 Personal
+ 	if enabled WPA3_PERSONAL; then
+@@ -416,6 +417,10 @@ hostapd_config_write() {
+ 		# Add WPA key management
+ 		list_append wpa_key_mgmt "SAE"
+ 		sae_password="${secret}"
++
++		if enabled MFP; then
++			sae_require_mfp="1"
++		fi
+ 	fi
+ 
+ 	# WPA2 Personal
+@@ -441,7 +446,7 @@ hostapd_config_write() {
+ 
+ 	local var
+ 	for var in wpa wpa_key_mgmt wpa_passphrase sae_password \
+-			rsn_pairwise group_cipher wpa_strict_rekey; do
++			rsn_pairwise group_cipher wpa_strict_rekeyi sae_require_mfp; do
+ 		if [ -n "${!var}" ]; then
+ 			print "${var}=${!var}"
+ 		fi
+-- 
+2.39.2
+
diff --git a/network/patches/0055-bird-Write-IPv6-router-advertisement-configuration.patch b/network/patches/0055-bird-Write-IPv6-router-advertisement-configuration.patch
new file mode 100644
index 000000000..32dc97ba2
--- /dev/null
+++ b/network/patches/0055-bird-Write-IPv6-router-advertisement-configuration.patch
@@ -0,0 +1,117 @@ 
+From 7a3747a1b0d2e219600979aa4286e8ffd96d5b59 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 31 Mar 2019 14:14:55 +0200
+Subject: [PATCH 055/304] bird: Write IPv6 router advertisement configuration
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.bird | 89 ++++++++++++++++++++++++++++++++++++
+ 1 file changed, 89 insertions(+)
+
+diff --git a/src/functions/functions.bird b/src/functions/functions.bird
+index c6fea32..950bb78 100644
+--- a/src/functions/functions.bird
++++ b/src/functions/functions.bird
+@@ -84,6 +84,9 @@ bird_generate_config() {
+ 		print "}"
+ 		print
+ 	done >> ${BIRD_CONF}
++
++	# Write IPv6 Router Advertisement configuration
++	__bird_ipv6_radv >> ${BIRD_CONF}
+ }
+ 
+ __bird_static_routes() {
+@@ -122,3 +125,89 @@ __bird_static_routes() {
+ 		esac
+ 	done < ${NETWORK_CONFIG_ROUTES}
+ }
++
++__bird_ipv6_radv() {
++	print "protocol radv {"
++
++	local zone
++	for zone in $(zones_get_local); do
++		log DEBUG "Writing bird radv configuration for ${zone}"
++
++		# Skip if there is no prefix or prefix is link-local.
++		local addr="$(db_get "${zone}/ipv6/local-ip-address")"
++		if [ -z "${addr}" ] || [ "${addr:0:5}" = "fe80:" ]; then
++			continue
++		fi
++
++		# Check if the subnet is configured by the DHCP server.
++		local dhcp="false"
++		local prefix="$(ipv6_get_network "${addr}")"
++		if isset prefix && dhcpd_subnet_match ipv6 "${prefix}"; then
++			dhcp="true"
++		fi
++
++		print "	interface \"${zone}\" {"
++			# Failover to other routers within 10s
++			print "		max ra interval 10;"
++
++			# Tell clients we are running DHCP
++			if enabled dhcp; then
++				print "		managed yes;"
++				print "		other config yes;"
++			fi
++
++			if device_exists "${zone}"; then
++				# Announce link MTU
++				local mtu="$(device_get_mtu "${zone}")"
++				print "		link mtu ${mtu};"
++			fi
++
++			print # empty line
++
++			# Announce all prefixes
++			print "		prefix ::/0 {"
++
++			if enabled dhcp; then
++				print "			autonomous off;"
++			fi
++
++			print "		};"
++		print "	};\n"
++	done
++
++	# Advertise any DNS servers
++	if enabled DNS_ADVERTISE_SERVERS; then
++		# Get a list of all IPv6 name servers
++		local servers=()
++		local server
++		for server in $(dns_server_list_sorted); do
++			# Skip any non-IPv6 servers
++			ipv6_is_valid "${server}" || continue
++
++			servers+=( "${server}" )
++		done
++
++		if isset servers; then
++			print "	rdnss {"
++
++			local server
++			for server in ${servers}; do
++				print "		ns ${server};"
++			done
++
++			print "	};"
++		fi
++	fi
++
++	# DNS Search Domain
++	print "	dnssl {"
++
++	local domain
++	for domain in $(dns_get_search_domains); do
++		print "		domain \"${domain}\";"
++	done
++
++	print "	};"
++
++	print "}\n"
++}
+-- 
+2.39.2
+
diff --git a/network/patches/0056-Drop-code-for-radvd.patch b/network/patches/0056-Drop-code-for-radvd.patch
new file mode 100644
index 000000000..52241fd28
--- /dev/null
+++ b/network/patches/0056-Drop-code-for-radvd.patch
@@ -0,0 +1,314 @@ 
+From 1cb20d39b29a1bd73cef2926cc4aae651f653ca7 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 31 Mar 2019 14:20:40 +0200
+Subject: [PATCH 056/304] Drop code for radvd
+
+This is now being replaced by bird.
+
+Bird is running anyways and can do this job just as well.
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ Makefile.am                     |   2 -
+ src/functions/functions.bird    |  11 +++
+ src/functions/functions.dns     |   8 +-
+ src/functions/functions.radvd   | 160 --------------------------------
+ src/functions/functions.routing |   4 +-
+ src/network-radvd-config        |  35 -------
+ 6 files changed, 17 insertions(+), 203 deletions(-)
+ delete mode 100644 src/functions/functions.radvd
+ delete mode 100644 src/network-radvd-config
+
+diff --git a/Makefile.am b/Makefile.am
+index 1b5e7e9..ce587b7 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -173,7 +173,6 @@ dist_network_DATA = \
+ 	src/functions/functions.ports \
+ 	src/functions/functions.ppp \
+ 	src/functions/functions.pppoe-server \
+-	src/functions/functions.radvd \
+ 	src/functions/functions.route \
+ 	src/functions/functions.routing \
+ 	src/functions/functions.serial \
+@@ -193,7 +192,6 @@ dist_network_DATA = \
+ 	src/functions/functions.wireless-networks \
+ 	src/functions/functions.wpa_supplicant \
+ 	src/functions/functions.zone \
+-	src/network-radvd-config \
+ 	src/header-config \
+ 	src/header-port \
+ 	src/header-zone
+diff --git a/src/functions/functions.bird b/src/functions/functions.bird
+index 950bb78..55d43b5 100644
+--- a/src/functions/functions.bird
++++ b/src/functions/functions.bird
+@@ -33,6 +33,17 @@ bird_reload() {
+ 	service_reload "bird.service"
+ }
+ 
++# Update configuration any apply it in one go
++bird_update() {
++	if ! bird_generate_config; then
++		log ERROR "Could not write Bird configuration"
++		return ${EXIT_ERROR}
++	fi
++
++	# Reload bird
++	bird_reload
++}
++
+ bird_generate_config() {
+ 	log DEBUG "Write BIRD configuration file"
+ 
+diff --git a/src/functions/functions.dns b/src/functions/functions.dns
+index 890f1ac..0e058be 100644
+--- a/src/functions/functions.dns
++++ b/src/functions/functions.dns
+@@ -31,8 +31,8 @@ NETWORK_SETTINGS_FILE_PARAMS="${NETWORK_SETTINGS_FILE_PARAMS} DNS_RANDOMIZE"
+ DNS_SEARCH_DOMAINS=""
+ NETWORK_SETTINGS_FILE_PARAMS="${NETWORK_SETTINGS_FILE_PARAMS} DNS_SEARCH_DOMAINS"
+ 
+-# Set this option to true if the DNS servers should be advertised by
+-# radvd.
++# Set this option to true if the DNS servers should be advertised in
++# IPv6 router advertisements
+ DNS_ADVERTISE_SERVERS="true"
+ 
+ DNS_SERVER_CONFIG_FILE="${NETWORK_CONFIG_DIR}/dns-servers"
+@@ -234,8 +234,8 @@ dns_server_update() {
+ 	# Regenerate /etc/resolv.conf
+ 	dns_generate_resolvconf
+ 
+-	# Restart radvd which propagates IPv6 DNS servers
+-	radvd_update
++	# Update bird about IPv6 DNS server changes
++	bird_update
+ }
+ 
+ dns_generate_resolvconf() {
+diff --git a/src/functions/functions.radvd b/src/functions/functions.radvd
+deleted file mode 100644
+index 1c8b8d0..0000000
+--- a/src/functions/functions.radvd
++++ /dev/null
+@@ -1,160 +0,0 @@
+-#!/bin/bash
+-###############################################################################
+-#                                                                             #
+-# IPFire.org - A linux based firewall                                         #
+-# Copyright (C) 2010  Michael Tremer & Christian Schmidt                      #
+-#                                                                             #
+-# This program is free software: you can redistribute it and/or modify        #
+-# it under the terms of the GNU General Public License as published by        #
+-# the Free Software Foundation, either version 3 of the License, or           #
+-# (at your option) any later version.                                         #
+-#                                                                             #
+-# This program is distributed in the hope that it will be useful,             #
+-# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+-# GNU General Public License for more details.                                #
+-#                                                                             #
+-# You should have received a copy of the GNU General Public License           #
+-# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+-#                                                                             #
+-###############################################################################
+-
+-RADVD_CONFIGFILE="/etc/radvd.conf"
+-
+-radvd_update() {
+-	# (Re-)write the configuration file
+-	if radvd_write_config; then
+-		# Reload the radvd service if it is already running
+-		if service_is_active radvd; then
+-			service_reload radvd
+-			return ${EXIT_OK}
+-		fi
+-
+-		# Start the radvd service
+-		service_start radvd
+-	fi
+-}
+-
+-radvd_clear_config() {
+-	log DEBUG "Clearing radv daemon configuration file"
+-
+-	config_header "radv daemon configuration file" > ${RADVD_CONFIGFILE}
+-
+-	return ${EXIT_OK}
+-}
+-
+-radvd_write_config() {
+-	radvd_clear_config
+-
+-	# Write the configuration for all zones.
+-	local zone
+-
+-	# The return value determine if radvd is started or not
+-	local return_value=${EXIT_FALSE}
+-
+-	for zone in $(zones_get_local); do
+-		if __radvd_config_interface ${zone}; then
+-			# We return TRUE when __radvd_config_interface returns True
+-			return_value=${EXIT_TRUE}
+-		fi
+-	done >> ${RADVD_CONFIGFILE}
+-
+-	return ${return_value}
+-}
+-
+-# This function return ${EXIT_FALSE} if no radvd config was written and ${EXIT_TRUE} in all other cases
+-__radvd_config_interface() {
+-	local zone=${1}
+-	assert isset zone
+-
+-	log DEBUG "Writing radvd configuration for ${zone}."
+-
+-	# If the interface does not provide any routing information,
+-	# we can skip this whole stuff.
+-	if ! db_exists "${zone}/ipv6"; then
+-		return ${EXIT_FALSE}
+-	fi
+-
+-	# Skip if zone is not active.
+-	local active="$(db_get "${zone}/ipv6/active")"
+-	[ "${active}" = "0" ] && return ${EXIT_FALSE}
+-
+-	# Skip if there is no prefix or prefix is link-local.
+-	local addr="$(db_get "${zone}/ipv6/local-ip-address")"
+-	if [ -z "${addr}" ] || [ "${addr:0:5}" = "fe80:" ]; then
+-		return ${EXIT_FALSE}
+-	fi
+-
+-	# Check if the subnet is configured by the DHCP server.
+-	local dhcpd="false"
+-	local prefix="$(ipv6_get_network "${addr}")"
+-	if isset prefix && dhcpd_subnet_match ipv6 "${prefix}"; then
+-		dhcpd="true"
+-	fi
+-
+-	print "interface ${zone} {"
+-	print "	AdvSendAdvert on;"
+-	print "	MinRtrAdvInterval 3;"
+-	print "	MaxRtrAdvInterval 10;"
+-	print "	IgnoreIfMissing on;"
+-
+-	if enabled dhcpd; then
+-		print "	AdvManagedFlag on;"
+-		print "	AdvOtherConfigFlag on;"
+-	fi
+-
+-	print
+-	print "	prefix ::/64 {"
+-	print "		AdvOnLink on;"
+-
+-	if enabled dhcpd; then
+-		print "		AdvRouterAddr off;"
+-		print "		AdvAutonomous off;"
+-	else
+-		print "		AdvRouterAddr on;"
+-		print "		AdvAutonomous on;"
+-	fi
+-
+-	print "	};"
+-	print
+-
+-	# Add the DNS configuration.
+-	__radvd_config_dns ${zone}
+-
+-	print "};"
+-	print
+-
+-	return ${EXIT_TRUE}
+-}
+-
+-__radvd_config_dns() {
+-	local zone=${1}
+-
+-	# Do nothing, when this option is not enabled.
+-	enabled DNS_ADVERTISE_SERVERS || return ${EXIT_OK}
+-
+-	# XXX it is kind of difficult to announce our local
+-	# resolver.
+-
+-	local server servers
+-	for server in $(dns_server_list_sorted); do
+-		# Filter out non IPv6 addresses.
+-		ipv6_is_valid ${server} || continue
+-
+-		servers="${servers} ${server}"
+-	done
+-
+-	# Remove whitespaces.
+-	servers=$(echo ${servers})
+-
+-	# If there are no servers to announce, we stop right here.
+-	if ! isset servers; then
+-		log DEBUG "No servers to announce."
+-		return ${EXIT_OK}
+-	fi
+-
+-	print "	RDNSS ${servers} {"
+-	print "		# Use the defaults here."
+-	print "	};"
+-	print
+-}
+diff --git a/src/functions/functions.routing b/src/functions/functions.routing
+index c7aac09..351cc53 100644
+--- a/src/functions/functions.routing
++++ b/src/functions/functions.routing
+@@ -80,8 +80,8 @@ routing_default_update() {
+ 		# Remove too much spaces.
+ 		routes=$(echo ${routes})
+ 
+-		# Reload radvd configuration
+-		[[ "${proto}" = "ipv6" ]] && radvd_update
++		# Reload bird configuration
++		[[ "${proto}" = "ipv6" ]] && bird_update
+ 
+ 		# Remove all default routes.
+ 		if [ -z "${routes}" ]; then
+diff --git a/src/network-radvd-config b/src/network-radvd-config
+deleted file mode 100644
+index e9809e1..0000000
+--- a/src/network-radvd-config
++++ /dev/null
+@@ -1,35 +0,0 @@
+-#!/bin/bash
+-###############################################################################
+-#                                                                             #
+-# IPFire.org - A linux based firewall                                         #
+-# Copyright (C) 2011  Michael Tremer & Christian Schmidt                      #
+-#                                                                             #
+-# This program is free software: you can redistribute it and/or modify        #
+-# it under the terms of the GNU General Public License as published by        #
+-# the Free Software Foundation, either version 3 of the License, or           #
+-# (at your option) any later version.                                         #
+-#                                                                             #
+-# This program is distributed in the hope that it will be useful,             #
+-# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+-# GNU General Public License for more details.                                #
+-#                                                                             #
+-# You should have received a copy of the GNU General Public License           #
+-# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+-#                                                                             #
+-###############################################################################
+-
+-. /lib/network/functions
+-
+-case "${1}" in
+-	start)
+-		# Write the radvd configuration file.
+-		radvd_write_config
+-		;;
+-	stop)
+-		# Clear all contents in the configuration file.
+-		radvd_clear_config
+-		;;
+-esac
+-
+-exit ${EXIT_OK}
+-- 
+2.39.2
+
diff --git a/network/patches/0057-.gitignore-Ignore-vim-s-swp-files.patch b/network/patches/0057-.gitignore-Ignore-vim-s-swp-files.patch
new file mode 100644
index 000000000..4b6f140c7
--- /dev/null
+++ b/network/patches/0057-.gitignore-Ignore-vim-s-swp-files.patch
@@ -0,0 +1,25 @@ 
+From f116762cf279b39749bea053eca0e873c60e23f1 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 31 Mar 2019 14:21:18 +0200
+Subject: [PATCH 057/304] .gitignore: Ignore vim's swp files
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ .gitignore | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/.gitignore b/.gitignore
+index a6df183..36c85a1 100644
+--- a/.gitignore
++++ b/.gitignore
+@@ -20,6 +20,7 @@
+ *.lo
+ *.o
+ *.stamp
++*.swp
+ *.trs
+ *~
+ .deps
+-- 
+2.39.2
+
diff --git a/network/patches/0058-bird-Make-sure-the-daemon-is-always-running.patch b/network/patches/0058-bird-Make-sure-the-daemon-is-always-running.patch
new file mode 100644
index 000000000..f8c7758fc
--- /dev/null
+++ b/network/patches/0058-bird-Make-sure-the-daemon-is-always-running.patch
@@ -0,0 +1,73 @@ 
+From 39beacd0549be57fde9eb350c2c9292094537629 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 31 Mar 2019 14:28:44 +0200
+Subject: [PATCH 058/304] bird: Make sure the daemon is always running
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.bird  | 14 ++++++++++++++
+ src/functions/functions.route |  7 ++-----
+ src/network                   |  4 ++--
+ 3 files changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/src/functions/functions.bird b/src/functions/functions.bird
+index 55d43b5..1bbac8c 100644
+--- a/src/functions/functions.bird
++++ b/src/functions/functions.bird
+@@ -33,6 +33,20 @@ bird_reload() {
+ 	service_reload "bird.service"
+ }
+ 
++bird_enable() {
++	# Generate configuration file
++	if ! bird_generate_config; then
++		log ERROR "Could not write Bird configuration"
++		return ${EXIT_ERROR}
++	fi
++
++	# Enable the service to be automatically started next time
++	service_enable "bird.service"
++
++	# Start it now
++	bird_start
++}
++
+ # Update configuration any apply it in one go
+ bird_update() {
+ 	if ! bird_generate_config; then
+diff --git a/src/functions/functions.route b/src/functions/functions.route
+index e6ea244..b833822 100644
+--- a/src/functions/functions.route
++++ b/src/functions/functions.route
+@@ -393,11 +393,8 @@ route_parse_line() {
+ }
+ 
+ route_apply() {
+-	# Re-generate BIRD configuration
+-	bird_generate_config
+-
+-	# Reload the daemon
+-	bird_reload
++	# Update bird
++	bird_update
+ }
+ 
+ route_entry_add() {
+diff --git a/src/network b/src/network
+index 300ba94..be06d8a 100644
+--- a/src/network
++++ b/src/network
+@@ -1381,8 +1381,8 @@ case "${action}" in
+ 		# Update resolv.conf(5) when initializing the network
+ 		dns_generate_resolvconf
+ 
+-		# Update bird configuration
+-		bird_generate_config
++		# Make sure bird is running
++		bird_enable
+ 
+ 		# Also execute all triggers
+ 		triggers_execute_all "init"
+-- 
+2.39.2
+
diff --git a/network/patches/0059-configure-Require-asciidoc.patch b/network/patches/0059-configure-Require-asciidoc.patch
new file mode 100644
index 000000000..93e95bae8
--- /dev/null
+++ b/network/patches/0059-configure-Require-asciidoc.patch
@@ -0,0 +1,28 @@ 
+From 57496df2abdaa620e8ce68abfa5ad65b211a3484 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Wed, 26 Sep 2018 22:14:27 +0200
+Subject: [PATCH 059/304] configure: Require asciidoc
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ configure.ac | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index 08e9089..117850f 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -143,6 +143,10 @@ PKG_CHECK_MODULES([LIBNL], [libnl-3.0 libnl-genl-3.0])
+ 
+ # ------------------------------------------------------------------------------
+ 
++AC_CHECK_PROGS(ASCIIDOC, [asciidoc])
++
++# ------------------------------------------------------------------------------
++
+ AC_CONFIG_HEADERS(config.h)
+ AC_CONFIG_FILES([
+ 	Makefile
+-- 
+2.39.2
+
diff --git a/network/patches/0060-man-Add-test-page-for-asciidoc.patch b/network/patches/0060-man-Add-test-page-for-asciidoc.patch
new file mode 100644
index 000000000..c50e1903e
--- /dev/null
+++ b/network/patches/0060-man-Add-test-page-for-asciidoc.patch
@@ -0,0 +1,94 @@ 
+From 8f591cfc10d1876523d608d9643f0a82517c2add Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Wed, 26 Sep 2018 22:42:36 +0200
+Subject: [PATCH 060/304] man: Add test page for asciidoc
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ Makefile.am    | 14 +++++++++++---
+ man/.gitignore |  1 +
+ man/test.txt   | 11 +++++++++++
+ 3 files changed, 23 insertions(+), 3 deletions(-)
+ create mode 100644 man/test.txt
+
+diff --git a/Makefile.am b/Makefile.am
+index ce587b7..d01e223 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -89,6 +89,10 @@ INSTALL_EXEC_HOOKS += \
+ 
+ # ------------------------------------------------------------------------------
+ 
++AM_V_ASCIIDOC   = $(AM_V_ASCIIDOC_$(V))
++AM_V_ASCIIDOC_  = $(AM_V_ASCIIDOC_$(AM_DEFAULT_VERBOSITY))
++AM_V_ASCIIDOC_0 = @echo "  ASCIIDOC" $@;
++
+ AM_V_DOWNLOAD   = $(AM_V_DOWNLOAD_$(V))
+ AM_V_DOWNLOAD_  = $(AM_V_DOWNLOAD_$(AM_DEFAULT_VERBOSITY))
+ AM_V_DOWNLOAD_0 = @echo "  LOAD    " $@;
+@@ -449,6 +453,7 @@ INSTALL_DIRS += \
+ # ------------------------------------------------------------------------------
+ 
+ MANPAGES = \
++	man/test.8 \
+ 	man/firewall-settings.8 \
+ 	man/network.8 \
+ 	man/network-color.8 \
+@@ -472,8 +477,8 @@ MANPAGES = \
+ 	man/network-zone-pppoe.8 \
+ 	man/network-zone-wireless.8
+ 
+-MANPAGES_XML  = $(patsubst %.8,%.xml,$(MANPAGES))
+-MANPAGES_HTML = $(patsubst %.xml,%.html,$(MANPAGES_XML))
++MANPAGES_TXT  = $(patsubst %.8,%.txt,$(MANPAGES))
++MANPAGES_HTML = $(patsubst %.txt,%.html,$(MANPAGES))
+ 
+ .PHONY: man
+ man: $(MANPAGES) $(MANPAGES_HTML)
+@@ -489,7 +494,7 @@ CLEANFILES += \
+ 	$(MANPAGES_HTML)
+ 
+ EXTRA_DIST += \
+-	$(MANPAGES_XML) \
++	$(MANPAGES_TXT) \
+ 	man/custom-html.xsl
+ 
+ XSLTPROC_FLAGS = \
+@@ -507,6 +512,9 @@ XSLTPROC_COMMAND_MAN = \
+ XSLTPROC_COMMAND_HTML = \
+ 	$(AM_V_XSLT)$(XSLTPROC) -o $@ $(XSLTPROC_FLAGS) $(srcdir)/man/custom-html.xsl $<
+ 
++man/%.xml: man/%.txt
++	$(AM_V_ASCIIDOC)$(ASCIIDOC) -d manpage -b docbook -o $@ $<
++
+ man/%.8: man/%.xml
+ 	$(XSLTPROC_COMMAND_MAN)
+ 
+diff --git a/man/.gitignore b/man/.gitignore
+index 237049a..f891826 100644
+--- a/man/.gitignore
++++ b/man/.gitignore
+@@ -1,2 +1,3 @@
+ /*.[13578]
+ /*.html
++/*.xml
+diff --git a/man/test.txt b/man/test.txt
+new file mode 100644
+index 0000000..4c9d35d
+--- /dev/null
++++ b/man/test.txt
+@@ -0,0 +1,11 @@
++test(8)
++=======
++
++NAME
++----
++test - Hello World!
++
++SYNOPSIS
++--------
++[verse]
++'hello world' [<options>] <file>
+-- 
+2.39.2
+
diff --git a/network/patches/0061-man-Use-asciidoc-to-generate-HTML-pages-directly.patch b/network/patches/0061-man-Use-asciidoc-to-generate-HTML-pages-directly.patch
new file mode 100644
index 000000000..fd2e569ec
--- /dev/null
+++ b/network/patches/0061-man-Use-asciidoc-to-generate-HTML-pages-directly.patch
@@ -0,0 +1,86 @@ 
+From a7d2fef75b529c8cc10c4d22fca3114e30542394 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Wed, 26 Sep 2018 23:04:35 +0200
+Subject: [PATCH 061/304] man: Use asciidoc to generate HTML pages directly
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ Makefile.am         | 10 +++-------
+ man/custom-html.xsl | 31 -------------------------------
+ 2 files changed, 3 insertions(+), 38 deletions(-)
+ delete mode 100644 man/custom-html.xsl
+
+diff --git a/Makefile.am b/Makefile.am
+index d01e223..c4f8b45 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -494,8 +494,7 @@ CLEANFILES += \
+ 	$(MANPAGES_HTML)
+ 
+ EXTRA_DIST += \
+-	$(MANPAGES_TXT) \
+-	man/custom-html.xsl
++	$(MANPAGES_TXT)
+ 
+ XSLTPROC_FLAGS = \
+ 	--nonet \
+@@ -509,17 +508,14 @@ XSLTPROC_COMMAND_MAN = \
+ 	$(AM_V_XSLT)$(XSLTPROC) -o $@ $(XSLTPROC_FLAGS) \
+ 		http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+ 
+-XSLTPROC_COMMAND_HTML = \
+-	$(AM_V_XSLT)$(XSLTPROC) -o $@ $(XSLTPROC_FLAGS) $(srcdir)/man/custom-html.xsl $<
+-
+ man/%.xml: man/%.txt
+ 	$(AM_V_ASCIIDOC)$(ASCIIDOC) -d manpage -b docbook -o $@ $<
+ 
+ man/%.8: man/%.xml
+ 	$(XSLTPROC_COMMAND_MAN)
+ 
+-man/%.html: man/%.xml man/custom-html.xsl
+-	$(XSLTPROC_COMMAND_HTML)
++man/%.html: man/%.txt
++	$(AM_V_ASCIIDOC)$(ASCIIDOC) -b html5 -a icons -a theme=flask -o $@ $<
+ 
+ # ------------------------------------------------------------------------------
+ 
+diff --git a/man/custom-html.xsl b/man/custom-html.xsl
+deleted file mode 100644
+index fe2b54e..0000000
+--- a/man/custom-html.xsl
++++ /dev/null
+@@ -1,31 +0,0 @@
+-<?xml version='1.0'?>
+-
+-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
+-
+-<xsl:import href="http://docbook.sourceforge.net/release/xsl/current/html/docbook.xsl"/>
+-
+-<!-- translate man page references to links to html pages -->
+-<xsl:template match="citerefentry">
+-  <a>
+-    <xsl:attribute name="href">
+-      <xsl:value-of select="refentrytitle"/><xsl:text>.html</xsl:text>
+-    </xsl:attribute>
+-    <xsl:call-template name="inline.charseq"/>
+-  </a>
+-</xsl:template>
+-
+-<!-- add Index link at top of page -->
+-<xsl:template name="user.header.content">
+-  <a>
+-    <xsl:attribute name="href">
+-      <xsl:text>index.html</xsl:text>
+-    </xsl:attribute>
+-    <xsl:text>Index</xsl:text>
+-  </a>
+-  <hr/>
+-</xsl:template>
+-
+-<!-- Switch things to UTF-8, ISO-8859-1 is soo yesteryear -->
+-<xsl:output method="html" encoding="UTF-8" indent="no"/>
+-
+-</xsl:stylesheet>
+-- 
+2.39.2
+
diff --git a/network/patches/0062-man-Add-asciidoc-configuration-file.patch b/network/patches/0062-man-Add-asciidoc-configuration-file.patch
new file mode 100644
index 000000000..3183ec913
--- /dev/null
+++ b/network/patches/0062-man-Add-asciidoc-configuration-file.patch
@@ -0,0 +1,62 @@ 
+From baf429f17d664bbc6d141c13ce6ed52091803c3b Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Thu, 27 Sep 2018 00:22:59 +0200
+Subject: [PATCH 062/304] man: Add asciidoc configuration file
+
+This adds a short command to link to other man pages
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ Makefile.am       | 12 ++++++++----
+ man/asciidoc.conf | 12 ++++++++++++
+ 2 files changed, 20 insertions(+), 4 deletions(-)
+ create mode 100644 man/asciidoc.conf
+
+diff --git a/Makefile.am b/Makefile.am
+index c4f8b45..ebf3be7 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -508,14 +508,18 @@ XSLTPROC_COMMAND_MAN = \
+ 	$(AM_V_XSLT)$(XSLTPROC) -o $@ $(XSLTPROC_FLAGS) \
+ 		http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+ 
+-man/%.xml: man/%.txt
+-	$(AM_V_ASCIIDOC)$(ASCIIDOC) -d manpage -b docbook -o $@ $<
++man/%.xml: man/%.txt man/asciidoc.conf
++	$(AM_V_ASCIIDOC)$(ASCIIDOC) \
++		-f man/asciidoc.conf \
++		-d manpage -b docbook -o $@ $<
+ 
+ man/%.8: man/%.xml
+ 	$(XSLTPROC_COMMAND_MAN)
+ 
+-man/%.html: man/%.txt
+-	$(AM_V_ASCIIDOC)$(ASCIIDOC) -b html5 -a icons -a theme=flask -o $@ $<
++man/%.html: man/%.txt man/asciidoc.conf
++	$(AM_V_ASCIIDOC)$(ASCIIDOC) \
++		-f man/asciidoc.conf \
++		-b html5 -a icons -a theme=flask -o $@ $<
+ 
+ # ------------------------------------------------------------------------------
+ 
+diff --git a/man/asciidoc.conf b/man/asciidoc.conf
+new file mode 100644
+index 0000000..243f81f
+--- /dev/null
++++ b/man/asciidoc.conf
+@@ -0,0 +1,12 @@
++ifdef::backend-docbook[]
++[link-inlinemacro]
++{0%{target}}
++{0#<citerefentry>}
++{0#<refentrytitle>{target}</refentrytitle><manvolnum>{0}</manvolnum>}
++{0#</citerefentry>}
++endif::backend-docbook[]
++
++ifdef::backend-html5[]
++[link-inlinemacro]
++<a href="{target}.html">{target}{0?({0})}</a>
++endif::backend-html5[]
+-- 
+2.39.2
+
diff --git a/network/patches/0063-man-Convert-network-8-from-docbook-to-asciidoc.patch b/network/patches/0063-man-Convert-network-8-from-docbook-to-asciidoc.patch
new file mode 100644
index 000000000..e5341d529
--- /dev/null
+++ b/network/patches/0063-man-Convert-network-8-from-docbook-to-asciidoc.patch
@@ -0,0 +1,503 @@ 
+From 44d5ffe94daa496c95bf91860a5211272d8f3ff1 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Thu, 27 Sep 2018 00:25:12 +0200
+Subject: [PATCH 063/304] man: Convert network(8) from docbook to asciidoc
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ man/network.txt | 107 ++++++++++++++
+ man/network.xml | 368 ------------------------------------------------
+ 2 files changed, 107 insertions(+), 368 deletions(-)
+ create mode 100644 man/network.txt
+ delete mode 100644 man/network.xml
+
+diff --git a/man/network.txt b/man/network.txt
+new file mode 100644
+index 0000000..569449e
+--- /dev/null
++++ b/man/network.txt
+@@ -0,0 +1,107 @@
++network(8)
++==========
++
++NAME
++----
++network - IPFire Network Configuration Program
++
++SYNOPSIS
++--------
++[verse]
++'network' [<options>] <command> ...
++
++DESCRIPTION
++-----------
++The 'network' command is a tool which configures the network on every IPFire
++system. It is a fast and versatile way to create, edit and remove configurations,
++review the status of the network and it is working in the background of the
++system make sure that things are running smoothly.
++
++OPTIONS
++-------
++-d::
++--debug::
++	Enabled debugging mode.
++	In this mode, there wll be debug output on the console and written to
++	the log.
++	The debugging mode can be permanently enabled by setting 'DEBUG=1'.
++
++COMMANDS
++--------
++The following commands are understood:
++
++'start' [ZONE]::
++	Starts a zone. That means the zone is being created and brought up.
++	If one or more zones are passed to the command, only these will be
++	started.
++
++'stop' [ZONE]::
++	Stops a zone. This is the inverse of the 'start' command.
++
++'restart' [ZONE]::
++	Restarts a zone.
++
++'status' [ZONE]::
++	Shows an overview of the status of the zone.
++
++'zone' ...::
++	Commands to configure zones. See link:network-zone[8] for details.
++
++'port' ...::
++	Commands to configure ports. See link:network-port[8] for details.
++
++'device' ...::
++	See the status or execute commands to network devices.
++	See link:network-device[8] for details.
++
++'hostname' [HOSTNAME]::
++	Without the optional 'HOSTNAME' argument, this command will print
++	the configured hostname.
++	Passing 'HOSTNAME' will set it as the new hostname.
++
++'settings' ...::
++	Shows and alters global configuration parameters.
++	See link:network-settings[8] for details.
++
++'dns-server' ...::
++	This command allows to configure DNS servers.
++	See link::network-dns-server[8] for details.
++
++'route' ...::
++	This command allows managing static routes.
++	See link:network-route[8] for details.
++
++'vpn' ...::
++	The command allows managing VPN connections.
++	See link:network-vpn[8] for details.
++
++'reset'::
++	This command will reset all network configuration.
++	All zones, ports and other settings will be removed.
++
++'help' ...::
++	Shows this man page.
++
++EXIT CODES
++----------
++The 'network' command will normally exit with code zero.
++If there has been aproblem and the requested action could not be performed,
++the exit code is unequal to zero.
++
++BUGS
++----
++Please report all bugs to the bugtracker at https://bugzilla.ipfire.org/.
++
++AUTHORS
++-------
++Michael Tremer
++
++SEE ALSO
++--------
++link:network-settings[8]
++link:network-device[8]
++link:network-dns-server[8]
++link:network-performance-tuning[8]
++link:network-port[8]
++link:network-quick-start[8]
++link:network-zone[8]
+diff --git a/man/network.xml b/man/network.xml
+deleted file mode 100644
+index 0a97453..0000000
+--- a/man/network.xml
++++ /dev/null
+@@ -1,368 +0,0 @@
+-<?xml version="1.0"?>
+-<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
+-	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+-
+-<refentry id="network">
+-	<refentryinfo>
+-		<title>network</title>
+-		<productname>network</productname>
+-
+-		<authorgroup>
+-			<author>
+-				<contrib>Developer</contrib>
+-				<firstname>Michael</firstname>
+-				<surname>Tremer</surname>
+-				<email>michael.tremer@ipfire.org</email>
+-			</author>
+-		</authorgroup>
+-	</refentryinfo>
+-
+-	<refmeta>
+-		<refentrytitle>network</refentrytitle>
+-		<manvolnum>8</manvolnum>
+-	</refmeta>
+-
+-	<refnamediv>
+-		<refname>network</refname>
+-		<refpurpose>Network Configuration Control Program</refpurpose>
+-	</refnamediv>
+-
+-	<refsynopsisdiv>
+-		<cmdsynopsis>
+-			<command>network</command>
+-			<arg choice="opt" rep="repeat">OPTIONS</arg>
+-			<arg choice="plain">COMMAND</arg>
+-		</cmdsynopsis>
+-	</refsynopsisdiv>
+-
+-	<refsect1>
+-		<title>Description</title>
+-
+-		<para>
+-			The <command>network</command> command is a tool which configures
+-			the network on every IPFire system. It is a fast and versatile
+-			way to create, edit and remove configurations, review the status
+-			of the network and it is working in the background of the system
+-			making sure that things are running smoothly.
+-		</para>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Options</title>
+-
+-		<para>
+-			The following options are understood:
+-		</para>
+-
+-		<variablelist>
+-			<varlistentry>
+-				<term>
+-					<option>-d</option>
+-				</term>
+-				<term>
+-					<option>--debug</option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Enables the debugging mode.
+-						In this mode, there will be debug output on
+-						the console and written to the log.
+-					</para>
+-					<para>
+-						The debugging mode can be permanently enabled by setting
+-						<varname>DEBUG=1</varname>
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-		</variablelist>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Commands</title>
+-
+-		<para>
+-			The following commands are understood:
+-		</para>
+-
+-		<variablelist>
+-			<varlistentry>
+-				<term>
+-					<command>start <replaceable>ZONE-NAME</replaceable>...</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Starts a zone. That means the network zone will be created
+-						and brought up.
+-						If one or more zone names are passed to the command, only
+-						these will be started.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command>stop <replaceable>ZONE-NAME</replaceable>...</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Stops a zone. This is the inverse of the <command>start</command>
+-						command.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command>restart <replaceable>ZONE-NAME</replaceable>...</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Restarts a zone.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command>status <replaceable>ZONE-NAME</replaceable>...</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Shows a human-readable overview of the status
+-						of the network zone.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command>zone ...</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Configure a zone or show status information.
+-						See <citerefentry>
+-							<refentrytitle>network-zone</refentrytitle>
+-							<manvolnum>8</manvolnum>
+-						</citerefentry> for details.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command>port ...</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Configure a port or show status information.
+-						See <citerefentry>
+-							<refentrytitle>network-port</refentrytitle>
+-							<manvolnum>8</manvolnum>
+-						</citerefentry> for details.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command>device ...</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Show status information about network devices.
+-						See <citerefentry>
+-							<refentrytitle>network-device</refentrytitle>
+-							<manvolnum>8</manvolnum>
+-						</citerefentry> for details.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command>config <replaceable><varname>KEY=VALUE</varname></replaceable></command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Shows and alters global configuration parameters.
+-						See <citerefentry>
+-							<refentrytitle>network-settings</refentrytitle>
+-							<manvolnum>8</manvolnum>
+-						</citerefentry> for details.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command>help [<replaceable>TYPE</replaceable>
+-						<replaceable>HOOK</replaceable>|<replaceable>TYPE</replaceable> list-hooks]</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Calling <command>network help</command> without any
+-						arguments will show you this man page.
+-					</para>
+-					<para>
+-						<command>network help <replaceable>TYPE</replaceable> list-hooks</command>
+-						will print a list of all hooks of <replaceable>TYPE</replaceable>.
+-					</para>
+-					<para>
+-						You may optionally pass two arguments, to view the help
+-						of a certain hook.
+-						The type of the hook <replaceable>TYPE</replaceable>
+-						needs to be passed as well as the name of the hook
+-						<replaceable>HOOK</replaceable>.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command>hostname <replaceable>HOSTNAME</replaceable></command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						The <command>hostname</command> command will return the
+-						currently configured hostname of the system.
+-					</para>
+-					<para>
+-						If a new hostname is added to the command line,
+-						it will be configured, but will be set after the next
+-						reboot.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command>dns-server ...</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						The <command>dns-server</command> command will help you
+-						configuring the local DNS servers.
+-						See <citerefentry>
+-							<refentrytitle>network-dns-server</refentrytitle>
+-							<manvolnum>8</manvolnum>
+-						</citerefentry> for details.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command>route ...</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						The <command>route</command> command allows managing static routes.
+-						See <citerefentry>
+-							<refentrytitle>network-route</refentrytitle>
+-							<manvolnum>8</manvolnum>
+-						</citerefentry> for details.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command>vpn ...</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						The <command>vpn</command> allows managing VPN connections.
+-						See <citerefentry>
+-							<refentrytitle>network-vpn</refentrytitle>
+-							<manvolnum>8</manvolnum>
+-						</citerefentry> for details.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command>reset</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						The <command>reset</command> command will reset all
+-						network configuration. That means all zone configurations
+-						will be removed and there will be no networking after the
+-						next reboot.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-		</variablelist>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Exit Codes</title>
+-
+-		<para>
+-			The <command>network</command> command will normally exit with code 0.
+-			If there has been a problem and the requested action could not be done,
+-			the exit code is unequal to zero.
+-		</para>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Bugs</title>
+-
+-		<para>
+-			Please report all bugs to the official bugtracker at
+-			http://bugs.ipfire.org/.
+-		</para>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>See Also</title>
+-
+-		<para>
+-			<citerefentry>
+-				<refentrytitle>network-settings</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>,
+-			<citerefentry>
+-				<refentrytitle>network-device</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>,
+-			<citerefentry>
+-				<refentrytitle>network-dns-server</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>,
+-			<citerefentry>
+-				<refentrytitle>network-performance-tuning</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>,
+-			<citerefentry>
+-				<refentrytitle>network-port</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>,
+-			<citerefentry>
+-				<refentrytitle>network-quick-start</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>,
+-			<citerefentry>
+-				<refentrytitle>network-zone</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>
+-		</para>
+-	</refsect1>
+-</refentry>
+-- 
+2.39.2
+
diff --git a/network/patches/0064-man-Convert-network-color-8-to-asciidoc.patch b/network/patches/0064-man-Convert-network-color-8-to-asciidoc.patch
new file mode 100644
index 000000000..ff765aa14
--- /dev/null
+++ b/network/patches/0064-man-Convert-network-color-8-to-asciidoc.patch
@@ -0,0 +1,152 @@ 
+From b2f5dc13f74d0b740885f99a7d1408480da582cf Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Thu, 27 Sep 2018 00:34:35 +0200
+Subject: [PATCH 064/304] man: Convert network-color(8) to asciidoc
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ man/network-color.txt | 33 ++++++++++++++++
+ man/network-color.xml | 91 -------------------------------------------
+ 2 files changed, 33 insertions(+), 91 deletions(-)
+ create mode 100644 man/network-color.txt
+ delete mode 100644 man/network-color.xml
+
+diff --git a/man/network-color.txt b/man/network-color.txt
+new file mode 100644
+index 0000000..7c95e18
+--- /dev/null
++++ b/man/network-color.txt
+@@ -0,0 +1,33 @@
++network-color(8)
++================
++
++NAME
++----
++network-color - IPFire Network Configuration Control Program
++
++DESCRIPTION
++-----------
++The 'color' command helps to manage colors for zones and ports.
++The color is being used to make identification of a zone or port easier on the
++command line and web user interface.
++
++COMMANDS
++--------
++The following commands are understood:
++
++'set' [AABBCC]::
++	The color of a zone or port is set with the 'set' command.
++	It is required to pass a color in hex formatting.
++
++'reset'::
++	Resets the color of a zone or port to blank.
++
++AUTHOR
++------
++Jonatan Schlag
++
++SEE ALSO
++--------
++link:network[8]
++link:network-zone[8]
++link:network-port[8]
+diff --git a/man/network-color.xml b/man/network-color.xml
+deleted file mode 100644
+index caf2349..0000000
+--- a/man/network-color.xml
++++ /dev/null
+@@ -1,91 +0,0 @@
+-<?xml version="1.0"?>
+-<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
+-	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+-
+-<refentry id="network-color">
+-	<refentryinfo>
+-		<title>networ-color</title>
+-		<productname>network</productname>
+-
+-		<authorgroup>
+-			<author>
+-				<contrib>Developer</contrib>
+-				<firstname>Jonatan</firstname>
+-				<surname>Schlag</surname>
+-				<email>jonatan.schlag@ipfire.org</email>
+-			</author>
+-		</authorgroup>
+-	</refentryinfo>
+-
+-	<refmeta>
+-		<refentrytitle>network-color</refentrytitle>
+-		<manvolnum>8</manvolnum>
+-	</refmeta>
+-
+-	<refnamediv>
+-		<refname>network-color</refname>
+-		<refpurpose>Network Configuration Control Program</refpurpose>
+-	</refnamediv>
+-
+-	<refsect1>
+-		<title>Description</title>
+-
+-		<para>
+-			The <command>color</command> helps to manage colors for zone and ports.
+-			The color is used to make identification of a zone or port easier on the
+-			command line or web user interface.
+-		</para>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Commands</title>
+-
+-		<para>
+-			The following commands are understood:
+-		</para>
+-
+-		<variablelist>
+-			<varlistentry>
+-				<term>
+-					<command>set <replaceable>00AABB</replaceable></command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						The color of a zone or port is set with the <command>set</command> command.
+-						It is always required to pass a valid color hex value (e.g. 880400).
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-			<varlistentry>
+-				<term>
+-					<command>reset</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						This command resets the color of a zone or port to blank.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-	</variablelist>
+-	</refsect1>
+-	<refsect1>
+-		<title>See Also</title>
+-
+-		<para>
+-			<citerefentry>
+-				<refentrytitle>network</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>,
+-			<citerefentry>
+-				<refentrytitle>network-zone</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>,
+-			<citerefentry>
+-				<refentrytitle>network-port</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>
+-		</para>
+-	</refsect1>
+-</refentry>
+-- 
+2.39.2
+
diff --git a/network/patches/0065-man-Drop-test-page.patch b/network/patches/0065-man-Drop-test-page.patch
new file mode 100644
index 000000000..5dd0ddc36
--- /dev/null
+++ b/network/patches/0065-man-Drop-test-page.patch
@@ -0,0 +1,44 @@ 
+From 91305dee4f83ca35758e756903e3324117a26a7d Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Thu, 27 Sep 2018 00:36:02 +0200
+Subject: [PATCH 065/304] man: Drop test page
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ Makefile.am  |  1 -
+ man/test.txt | 11 -----------
+ 2 files changed, 12 deletions(-)
+ delete mode 100644 man/test.txt
+
+diff --git a/Makefile.am b/Makefile.am
+index ebf3be7..55d5d18 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -453,7 +453,6 @@ INSTALL_DIRS += \
+ # ------------------------------------------------------------------------------
+ 
+ MANPAGES = \
+-	man/test.8 \
+ 	man/firewall-settings.8 \
+ 	man/network.8 \
+ 	man/network-color.8 \
+diff --git a/man/test.txt b/man/test.txt
+deleted file mode 100644
+index 4c9d35d..0000000
+--- a/man/test.txt
++++ /dev/null
+@@ -1,11 +0,0 @@
+-test(8)
+-=======
+-
+-NAME
+-----
+-test - Hello World!
+-
+-SYNOPSIS
+---------
+-[verse]
+-'hello world' [<options>] <file>
+-- 
+2.39.2
+
diff --git a/network/patches/0066-man-network-color-Add-synopsis.patch b/network/patches/0066-man-network-color-Add-synopsis.patch
new file mode 100644
index 000000000..6097f2a90
--- /dev/null
+++ b/network/patches/0066-man-network-color-Add-synopsis.patch
@@ -0,0 +1,32 @@ 
+From 62191ec375cf7fc957690d88c663ae7ad479a1a4 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Thu, 27 Sep 2018 00:47:19 +0200
+Subject: [PATCH 066/304] man: network-color: Add synopsis
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ man/network-color.txt | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/man/network-color.txt b/man/network-color.txt
+index 7c95e18..f3be474 100644
+--- a/man/network-color.txt
++++ b/man/network-color.txt
+@@ -3,7 +3,13 @@ network-color(8)
+ 
+ NAME
+ ----
+-network-color - IPFire Network Configuration Control Program
++network-color - Allows assigning a color to a zone or port
++
++SYNOPSIS
++--------
++[verse]
++'network' [zone ZONE|port PORT] color set AABBCC
++'network' [zone ZONE|port PORT] reset
+ 
+ DESCRIPTION
+ -----------
+-- 
+2.39.2
+
diff --git a/network/patches/0067-man-Convert-firewall-settings-to-asciidoc.patch b/network/patches/0067-man-Convert-firewall-settings-to-asciidoc.patch
new file mode 100644
index 000000000..8751171af
--- /dev/null
+++ b/network/patches/0067-man-Convert-firewall-settings-to-asciidoc.patch
@@ -0,0 +1,409 @@ 
+From 66fe74f95f4da254fc1162c591a40012c17aab07 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 30 Sep 2018 21:16:10 +0200
+Subject: [PATCH 067/304] man: Convert firewall-settings to asciidoc
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ man/firewall-settings.txt |  97 +++++++++++++
+ man/firewall-settings.xml | 284 --------------------------------------
+ 2 files changed, 97 insertions(+), 284 deletions(-)
+ create mode 100644 man/firewall-settings.txt
+ delete mode 100644 man/firewall-settings.xml
+
+diff --git a/man/firewall-settings.txt b/man/firewall-settings.txt
+new file mode 100644
+index 0000000..20038e3
+--- /dev/null
++++ b/man/firewall-settings.txt
+@@ -0,0 +1,97 @@
++firewall-settings(8)
++====================
++
++NAME
++----
++firewall-settings - Global firewall settings
++
++SYNOPSIS
++--------
++[verse]
++'firewall settings'
++'firewall settings' KEY=VALUE ...
++
++DESCRIPTION
++-----------
++This command is used to set global firewall settings.
++Please have a look at the individual man pages for more options.
++
++COMMANDS
++--------
++If no argument is given, the configuration will be dumped to the console.
++
++You may set a new value by adding the variable name and the new value to
++the command line.
++
++SETTINGS
++--------
++=== CONNTRACK_MAX_CONNECTIONS = 16384
++Limits the max. number of simultaneous connections.
++
++Modify this if you want to handle a larger number of concurrent
++connections. Every connection will use approx. 16 kBytes of memory.
++
++=== CONNTRACK_UDP_TIMEOUT = 60
++Defines the timeout (in seconds) the kernel will wait until
++a half-assured UDP connection is fully established.
++
++=== FIREWALL_ACCEPT_ICMP_REDIRECTS = [true|false]
++Enable if you want to accept ICMP redirect messages.
++
++=== FIREWALL_CLAMP_PATH_MTU = [true|false]
++If Path MTU Discovery does not work well, enable this option.
++
++It sets the MSS value of a packet so that the remote site would
++never send a packet bigger than the MSS value.
++
++No ICMP packets are needed to make this work, so use this on
++networks with broken ICMP filtering.
++
++=== FIREWALL_DEFAULT_TTL = 64
++Here you can change the default TTL used for sending packets.
++
++The given value must be between 10 and 255.
++Don't mess with this unless you know what you are doing.
++
++=== FIREWALL_LOG_BAD_TCP_FLAGS = [true|false]
++Enable this to log TCP packets with bad flags or options.
++
++=== FIREWALL_LOG_INVALID_ICMP = [true|false]
++Enable this to log INVALID ICMP packets.
++
++=== FIREWALL_LOG_INVALID_TCP = [true|false]
++Enable this to log INVALID TCP packets.
++
++=== FIREWALL_LOG_INVALID_UDP = [true|false]
++Enable this to log INVALID UDP packets.
++
++=== FIREWALL_LOG_MARTIANS = [true|false]
++Enable this to log packets with impossible addresses.
++
++=== FIREWALL_LOG_STEALTH_SCANS = [true|false]
++Enable this to log all stealth scans.
++
++=== FIREWALL_PMTU_DISCOVERY = [true|false]
++Enables Path MTU Discovery.
++
++=== FIREWALL_RP_FILTER = [true|false]
++Enable to drop connection from non-routable IPs,
++e.g. prevent source routing.
++
++=== FIREWALL_SYN_COOKIES = [true|false]
++Enable for SYN-flood protection.
++
++=== FIREWALL_USE_ECN = [true|false]
++Enables the ECN (Explicit Congestion Notification) TCP flag.
++
++Some routers on the Internet still do not support ECN properly.
++When this setting is disabled, ECN is only advertised
++when asked for.
++
++AUTHORS
++-------
++Michael Tremer
++
++SEE ALSO
++--------
++link:firewall[8]
+diff --git a/man/firewall-settings.xml b/man/firewall-settings.xml
+deleted file mode 100644
+index 7357f4c..0000000
+--- a/man/firewall-settings.xml
++++ /dev/null
+@@ -1,284 +0,0 @@
+-<?xml version="1.0"?>
+-<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
+-	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+-
+-<refentry id="firewall-settings">
+-	<refentryinfo>
+-		<title>firewall-settings</title>
+-		<productname>network</productname>
+-
+-		<authorgroup>
+-			<author>
+-				<contrib>Developer</contrib>
+-				<firstname>Michael</firstname>
+-				<surname>Tremer</surname>
+-				<email>michael.tremer@ipfire.org</email>
+-			</author>
+-		</authorgroup>
+-	</refentryinfo>
+-
+-	<refmeta>
+-		<refentrytitle>firewall-settings</refentrytitle>
+-		<manvolnum>8</manvolnum>
+-	</refmeta>
+-
+-	<refnamediv>
+-		<refname>firewall-settings</refname>
+-		<refpurpose>Firewall Configuration Control Program</refpurpose>
+-	</refnamediv>
+-
+-	<refsynopsisdiv>
+-		<cmdsynopsis>
+-			<command>firewall-settings</command>
+-		</cmdsynopsis>
+-
+-		<cmdsynopsis>
+-			<command>firewall-settings <replaceable>KEY=VALUE</replaceable></command>
+-		</cmdsynopsis>
+-	</refsynopsisdiv>
+-
+-	<refsect1>
+-		<title>Description</title>
+-
+-		<para>
+-			The <command>firewall-settings</command> command may be used to set
+-			global firewall settingsuration options.
+-		</para>
+-		<para>
+-			Please have a look at the individual man pages for more options.
+-		</para>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Commands</title>
+-
+-		<para>
+-			If no additional argument is given, running the command will
+-			dump a list of all settingsuration variables and their current values.
+-		</para>
+-
+-		<para>
+-			You may set a new value by adding the variable name and the new
+-			value to the command line.
+-		</para>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Variables</title>
+-
+-		<variablelist>
+-			<varlistentry>
+-				<term>
+-					<varname>CONNTRACK_MAX_CONNECTIONS</varname> = <replaceable>16384</replaceable>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Limits the max. number of simultaneous connections.
+-					</para>
+-					<para>
+-						Modify this if you want to handle a larger number of concurrent
+-						connections. Every connection will use approx. 16 kBytes of memory.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<varname>CONNTRACK_UDP_TIMEOUT</varname> = <replaceable>60</replaceable>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Defines the timeout (in seconds) the kernel will wait until
+-						a half-assured UDP connection is fully established.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<varname>FIREWALL_ACCEPT_ICMP_REDIRECTS</varname> = [true|<emphasis>false</emphasis>]
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Enable if you want to accept ICMP redirect messages.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<varname>FIREWALL_CLAMP_PATH_MTU</varname> = [true|<emphasis>false</emphasis>]
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						If Path MTU Discovery does not work well, enable this option.
+-						It sets the MSS value of a packet so that the remote site would
+-						never send a packet bigger than the MSS value.
+-					</para>
+-					<para>
+-						No ICMP packets are needed to make this work, so use this on
+-						networks with broken ICMP filtering.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<varname>FIREWALL_DEFAULT_TTL</varname> = <replaceable>64</replaceable>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Here you can change the default TTL used for sending packets.
+-					</para>
+-					<para>
+-						The given value must be between 10 and 255.
+-						Don't mess with this unless you know what you are doing.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<varname>FIREWALL_LOG_BAD_TCP_FLAGS</varname> = [<emphasis>true</emphasis>|false]
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Enable this to log TCP packets with bad flags or options.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<varname>FIREWALL_LOG_INVALID_ICMP</varname> = [<emphasis>true</emphasis>|false]
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Enable this to log INVALID ICMP packets.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<varname>FIREWALL_LOG_INVALID_TCP</varname> = [<emphasis>true</emphasis>|false]
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Enable this to log INVALID TCP packets.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<varname>FIREWALL_LOG_INVALID_UDP</varname> = [<emphasis>true</emphasis>|false]
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Enable this to log INVALID UDP packets.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<varname>FIREWALL_LOG_MARTIANS</varname> = [true|<emphasis>false</emphasis>]
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Enable this to log packets with impossible addresses.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<varname>FIREWALL_LOG_STEALTH_SCANS</varname> = [<emphasis>true</emphasis>|false]
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Enable this to log all stealth scans.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<varname>FIREWALL_PMTU_DISCOVERY</varname> = [true|<emphasis>false</emphasis>]
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Enables Path MTU Discovery.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<varname>FIREWALL_RP_FILTER</varname> = [<emphasis>true</emphasis>|false]
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Enable to drop connection from non-routable IPs,
+-						e.g. prevent source routing.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<varname>FIREWALL_SYN_COOKIES</varname> = [<emphasis>true</emphasis>|false]
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Enable for SYN-flood protection.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<varname>FIREWALL_USE_ECN</varname> = [<emphasis>true</emphasis>|false]
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Enables the ECN (Explicit Congestion Notification) TCP flag.
+-					</para>
+-					<para>
+-						Some routers on the Internet still do not support ECN properly,
+-						so this is not enabled by default.
+-						When this setting is disabled, ECN is only advertised
+-						when asked for.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-		</variablelist>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>See Also</title>
+-
+-		<para>
+-			<citerefentry>
+-				<refentrytitle>firewall</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>
+-		</para>
+-	</refsect1>
+-</refentry>
+-- 
+2.39.2
+
diff --git a/network/patches/0068-man-Convert-network-description-8-to-asciidoc.patch b/network/patches/0068-man-Convert-network-description-8-to-asciidoc.patch
new file mode 100644
index 000000000..4c993a4b7
--- /dev/null
+++ b/network/patches/0068-man-Convert-network-description-8-to-asciidoc.patch
@@ -0,0 +1,144 @@ 
+From c601b69e5d8db595fee00241702ee8bd2689c49e Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 30 Sep 2018 21:24:48 +0200
+Subject: [PATCH 068/304] man: Convert network-description(8) to asciidoc
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ Makefile.am                 |  1 -
+ man/include-description.txt | 11 +++++
+ man/network-description.xml | 92 -------------------------------------
+ 3 files changed, 11 insertions(+), 93 deletions(-)
+ create mode 100644 man/include-description.txt
+ delete mode 100644 man/network-description.xml
+
+diff --git a/Makefile.am b/Makefile.am
+index 55d5d18..287a111 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -456,7 +456,6 @@ MANPAGES = \
+ 	man/firewall-settings.8 \
+ 	man/network.8 \
+ 	man/network-color.8 \
+-	man/network-description.8 \
+ 	man/network-device.8 \
+ 	man/network-dhcp.8 \
+ 	man/network-dns-server.8 \
+diff --git a/man/include-description.txt b/man/include-description.txt
+new file mode 100644
+index 0000000..a39ba55
+--- /dev/null
++++ b/man/include-description.txt
+@@ -0,0 +1,11 @@
++'description edit'::
++	This command opens an editor and allows you to edit title and description.
++
++	NOTE: The formation of the description is similar to a git commit.
++	Every description has a title, the first line of the description.
++	The title is shown on the status page and in the web user interface.
++	It should be something short like "Office Lan" or "DMZ".
++	After the title can follow a longer description.
++
++'description show'::
++	Prints the description.
+diff --git a/man/network-description.xml b/man/network-description.xml
+deleted file mode 100644
+index f1722b4..0000000
+--- a/man/network-description.xml
++++ /dev/null
+@@ -1,92 +0,0 @@
+-<?xml version="1.0"?>
+-<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
+-	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+-
+-<refentry id="network-color">
+-	<refentryinfo>
+-		<title>networ-color</title>
+-		<productname>network</productname>
+-
+-		<authorgroup>
+-			<author>
+-				<contrib>Developer</contrib>
+-				<firstname>Jonatan</firstname>
+-				<surname>Schlag</surname>
+-				<email>jonatan.schlag@ipfire.org</email>
+-			</author>
+-		</authorgroup>
+-	</refentryinfo>
+-
+-	<refmeta>
+-		<refentrytitle>network-description</refentrytitle>
+-		<manvolnum>8</manvolnum>
+-	</refmeta>
+-
+-	<refnamediv>
+-		<refname>network-description</refname>
+-		<refpurpose>Network Configuration Control Program</refpurpose>
+-	</refnamediv>
+-
+-	<refsect1>
+-		<title>Description</title>
+-
+-		<para>
+-			The <command>description</command> command make it possible to add descriptions to zone and ports.
+-			A description is similar to a git commit. Every description has a title, the first line of the describtion file.
+-			The title is shown on the status page and in the webinterface. It should be something short like Office Lan or DMZ.
+-			After the title can follow a longer description. You can write whatever you want.
+-			This longer description is shown via the <command>show</command> command
+-		</para>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Commands</title>
+-
+-		<para>
+-			The following commands are understood:
+-		</para>
+-
+-		<variablelist>
+-			<varlistentry>
+-				<term>
+-					<command>edit</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-					This command opens an editor and allows you to edit title and description.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-			<varlistentry>
+-				<term>
+-					<command>show</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						This command prints title and the longer description in a nice way.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-	</variablelist>
+-	</refsect1>
+-	<refsect1>
+-		<title>See Also</title>
+-
+-		<para>
+-			<citerefentry>
+-				<refentrytitle>network</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>,
+-			<citerefentry>
+-				<refentrytitle>network-zone</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>,
+-			<citerefentry>
+-				<refentrytitle>network-port</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>
+-		</para>
+-	</refsect1>
+-</refentry>
+-- 
+2.39.2
+
diff --git a/network/patches/0069-man-Convert-network-device-8-to-asciidoc.patch b/network/patches/0069-man-Convert-network-device-8-to-asciidoc.patch
new file mode 100644
index 000000000..1cdc8b87d
--- /dev/null
+++ b/network/patches/0069-man-Convert-network-device-8-to-asciidoc.patch
@@ -0,0 +1,254 @@ 
+From 9d2265232d8a1c399617e347bda66a8019d8b36d Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 30 Sep 2018 21:40:53 +0200
+Subject: [PATCH 069/304] man: Convert network-device(8) to asciidoc
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ man/network-device.txt |  61 +++++++++++++++
+ man/network-device.xml | 165 -----------------------------------------
+ 2 files changed, 61 insertions(+), 165 deletions(-)
+ create mode 100644 man/network-device.txt
+ delete mode 100644 man/network-device.xml
+
+diff --git a/man/network-device.txt b/man/network-device.txt
+new file mode 100644
+index 0000000..33fcefa
+--- /dev/null
++++ b/man/network-device.txt
+@@ -0,0 +1,61 @@
++network(8)
++==========
++
++NAME
++----
++network-device - Controls network devices
++
++SYNOPSIS
++--------
++[verse]
++'network device' [<options>] <command> ...
++
++DESCRIPTION
++-----------
++The 'network device' command shows low-level status information
++of network devices and other things.
++
++COMMANDS
++--------
++The following commands are understood:
++
++'list'::
++	This command shows a list of all device that are currently present
++	on this system. This includes PHYs and serial devices as well.
++
++'DEVICE discover'::
++	Runs a discovery for many hooks on the given device.
++
++	This will check if the hook can find for example a DHCP server or
++	DSLAM and thus predict for what the device should be used.
++
++'DEVICE identify'::
++	This command only works for Ethernet adapters and will make those
++	that support this feature flash for a few seconds.
++
++	It is handy to find the right device to put the cable in.
++
++'DEVICE monitor'::
++	This command creates a monitor interface for wireless modules.
++
++	An instance of link:tcpdump[8] will be started and show all
++	frames that are sent or received on the 802.11 layer (layer 2).
++
++'DEVICE status'::
++	This will show you very detailed information about the given device.
++
++'DEVICE unlock'::
++	This command will unlock the SIM card in a modem.
++	Only serial devices are supported which are the most 4G or 3G modems.
++
++	For the PIN or PUK code, the user will be prompted.
++
++AUTHORS
++-------
++Michael Tremer
++
++SEE ALSO
++--------
++link:network[8]
++link:network-port[8]
++link:network-zone[8]
+diff --git a/man/network-device.xml b/man/network-device.xml
+deleted file mode 100644
+index 11dc04e..0000000
+--- a/man/network-device.xml
++++ /dev/null
+@@ -1,165 +0,0 @@
+-<?xml version="1.0"?>
+-<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
+-	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+-
+-<refentry id="network-device">
+-	<refentryinfo>
+-		<title>network-device</title>
+-		<productname>network</productname>
+-
+-		<authorgroup>
+-			<author>
+-				<contrib>Developer</contrib>
+-				<firstname>Michael</firstname>
+-				<surname>Tremer</surname>
+-				<email>michael.tremer@ipfire.org</email>
+-			</author>
+-		</authorgroup>
+-	</refentryinfo>
+-
+-	<refmeta>
+-		<refentrytitle>network-device</refentrytitle>
+-		<manvolnum>8</manvolnum>
+-	</refmeta>
+-
+-	<refnamediv>
+-		<refname>network-device</refname>
+-		<refpurpose>Network Configuration Control Program</refpurpose>
+-	</refnamediv>
+-
+-	<refsynopsisdiv>
+-		<cmdsynopsis>
+-			<command>network device <arg choice="plain">COMMAND</arg></command>
+-		</cmdsynopsis>
+-	</refsynopsisdiv>
+-
+-	<refsect1>
+-		<title>Description</title>
+-
+-		<para>
+-			With help of the <command>device</command> subcommands, it is very easy
+-			to get status information about network devices and to do some more
+-			things.
+-		</para>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Commands</title>
+-
+-		<para>
+-			The following commands are understood:
+-		</para>
+-
+-		<variablelist>
+-			<varlistentry>
+-				<term>
+-					<command>list</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						The <command>list</command> command will show a list
+-						of all devices that are currently plugged in or active
+-						on the system.
+-						This includes PHYs and serial devices as well.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command><replaceable>DEVICE</replaceable> status</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						This will show you very detailed information about the given
+-						device.
+-					</para>
+-					<para>
+-						This is all about the ethernet parts of the device and
+-						does not contain any IP information as this is defined
+-						as a zone (<citerefentry>
+-							<refentrytitle>network-zone</refentrytitle>
+-							<manvolnum>8</manvolnum>
+-						</citerefentry>).
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command><replaceable>DEVICE</replaceable> identify</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						This command only works for Ethernet adapters and will
+-						make those that support this feature flash for a few
+-						seconds.
+-						It is handy to find the right device to put the cable in.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command><replaceable>DEVICE</replaceable> discover</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Runs a discovery for many hooks on the given device.
+-						This will check if the hook can find for example a DHCP
+-						server or DSLAM and thus predict for what the device
+-						should be used.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command><replaceable>DEVICE</replaceable> unlock</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						This command will unlock the SIM card in a modem.
+-						Only serial devices are supported which are the most
+-						UMTS or 3G modems.
+-					</para>
+-					<para>
+-						For the PIN or PUK code, the user will be prompted.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command><replaceable>DEVICE</replaceable> monitor</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						The <command>monitor</command> command is used to
+-						create a monitor interface for wireless modules.
+-						An instance of tcpdump will be started and show
+-						all frames that are sent or received on the 802.11
+-						layer (layer 2) of the wireless network.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-		</variablelist>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>See Also</title>
+-
+-		<para>
+-			<citerefentry>
+-				<refentrytitle>network</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>
+-		</para>
+-	</refsect1>
+-</refentry>
+-- 
+2.39.2
+
diff --git a/network/patches/0070-man-Convert-network-dhcp-8-to-asciidoc.patch b/network/patches/0070-man-Convert-network-dhcp-8-to-asciidoc.patch
new file mode 100644
index 000000000..95cd6ce5e
--- /dev/null
+++ b/network/patches/0070-man-Convert-network-dhcp-8-to-asciidoc.patch
@@ -0,0 +1,217 @@ 
+From c6e12dc53a1e65a0089ee0ddb0573a29bc2acd8a Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 30 Sep 2018 21:46:49 +0200
+Subject: [PATCH 070/304] man: Convert network-dhcp(8) to asciidoc
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ man/network-dhcp.txt |  44 +++++++++++++
+ man/network-dhcp.xml | 145 -------------------------------------------
+ 2 files changed, 44 insertions(+), 145 deletions(-)
+ create mode 100644 man/network-dhcp.txt
+ delete mode 100644 man/network-dhcp.xml
+
+diff --git a/man/network-dhcp.txt b/man/network-dhcp.txt
+new file mode 100644
+index 0000000..a448619
+--- /dev/null
++++ b/man/network-dhcp.txt
+@@ -0,0 +1,44 @@
++network(8)
++==========
++
++NAME
++----
++network-dhcp - Controls the DHCP Server
++
++SYNOPSIS
++--------
++[verse]
++'network dhcpv6' <command> ...
++'network dhcpv4' <command> ...
++
++DESCRIPTION
++-----------
++With help of the DHCP commands it is possible to configure DHCP
++servers for IPv6 and IPv4.
++
++COMMANDS
++--------
++The following commands are understood:
++
++'start'::
++	Starts the DHCP server.
++
++'stop'::
++	Stops the DHCP server.
++
++'restart'::
++	Restarts the DHCP server.
++
++'reload'::
++	Reload the DHCP server configuration.
++
++'subnet ...'::
++	TODO
++
++AUTHORS
++-------
++Michael Tremer
++
++SEE ALSO
++--------
++link:network[8]
+diff --git a/man/network-dhcp.xml b/man/network-dhcp.xml
+deleted file mode 100644
+index cc081bb..0000000
+--- a/man/network-dhcp.xml
++++ /dev/null
+@@ -1,145 +0,0 @@
+-<?xml version="1.0"?>
+-<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
+-	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+-
+-<refentry id="network-dhcp">
+-	<refentryinfo>
+-		<title>network-dhcp</title>
+-		<productname>network</productname>
+-
+-		<authorgroup>
+-			<author>
+-				<contrib>Developer</contrib>
+-				<firstname>Michael</firstname>
+-				<surname>Tremer</surname>
+-				<email>michael.tremer@ipfire.org</email>
+-			</author>
+-		</authorgroup>
+-	</refentryinfo>
+-
+-	<refmeta>
+-		<refentrytitle>network-dhcp</refentrytitle>
+-		<manvolnum>8</manvolnum>
+-	</refmeta>
+-
+-	<refnamediv>
+-		<refname>network-dhcp</refname>
+-		<refpurpose>Network Configuration Control Program</refpurpose>
+-	</refnamediv>
+-
+-	<refsynopsisdiv>
+-		<cmdsynopsis>
+-			<command>network <arg choice="plain">[dhcpv6|dhcpv4]</arg> <arg choice="plain">command</arg> ...</command>
+-		</cmdsynopsis>
+-	</refsynopsisdiv>
+-
+-	<refsect1>
+-		<title>Description</title>
+-
+-		<para>
+-			With help of the <command>dhcp</command> commands it is possible to
+-			configure DHCP servers for IPv6 and IPv4.
+-		</para>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Commands</title>
+-
+-		<para>
+-			The following commands are understood:
+-		</para>
+-
+-		<variablelist>
+-			<varlistentry>
+-				<term>
+-					<command>start</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Starts the DHCP service.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command>stop</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Stops the DHCP service.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command>restart</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Restarts the DHCP service immediately.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command>reload</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Reload the DHCP service configuration.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command>show</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Shows the DHCP configuration.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command>subnet ...</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Use this command to manage subnets.
+-						See <citerefentry>
+-							<refentrytitle>network-dhcp-subnet</refentrytitle>
+-							<manvolnum>8</manvolnum>
+-						</citerefentry> for details.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-		</variablelist>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>See Also</title>
+-
+-		<para>
+-			<citerefentry>
+-				<refentrytitle>network</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>,
+-			<citerefentry>
+-				<refentrytitle>network-dhcp-subnet</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>
+-		</para>
+-	</refsect1>
+-</refentry>
+-- 
+2.39.2
+
diff --git a/network/patches/0071-man-Convert-network-dns-server-8-to-asciidoc.patch b/network/patches/0071-man-Convert-network-dns-server-8-to-asciidoc.patch
new file mode 100644
index 000000000..a8f55a10b
--- /dev/null
+++ b/network/patches/0071-man-Convert-network-dns-server-8-to-asciidoc.patch
@@ -0,0 +1,306 @@ 
+From 063089cbdb2745248bd8556e87de4a0d2bc8091d Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 30 Sep 2018 21:59:01 +0200
+Subject: [PATCH 071/304] man: Convert network-dns-server(8) to asciidoc
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ man/network-dns-server.txt |  75 ++++++++++++++
+ man/network-dns-server.xml | 203 -------------------------------------
+ 2 files changed, 75 insertions(+), 203 deletions(-)
+ create mode 100644 man/network-dns-server.txt
+ delete mode 100644 man/network-dns-server.xml
+
+diff --git a/man/network-dns-server.txt b/man/network-dns-server.txt
+new file mode 100644
+index 0000000..bd01ca7
+--- /dev/null
++++ b/man/network-dns-server.txt
+@@ -0,0 +1,75 @@
++network-dns-server(8)
++=====================
++
++NAME
++----
++network-dns-server - Controls the DNS settings
++
++SYNOPSIS
++--------
++[verse]
++'network dns-server' add SERVER [PRIORITY]
++'network dns-server' remove SERVER
++'network dns-server' list
++'network dns-server' update
++
++DESCRIPTION
++-----------
++With this command, you will be able to configure the local DNS
++configuration.
++
++You may add and remove DNS servers as well as view the settings.
++
++COMMANDS
++--------
++The following commands are understood:
++
++'add' SERVER [PRIORITY]::
++	A new DNS server may be added to the list by the
++	'add' command.
++	A priority that will rank the server my optionally be given.
++
++	NOTE: SERVER must be a valid IP address and PRIORITY
++	must be a positive number.
++	The smaller this number, the higher is is the rank of
++	the server.
++
++'remove' SERVER::
++	The given server will be removed from the list of DNS servers.
++
++'list'::
++	Shows a list of all servers that are currently in use.
++
++'update'::
++	This command will re-create the system's configuration
++	files. It should not be required to use this command
++	very often.
++
++SETTINGS
++--------
++The following settings may be set using link:network-settings[8]:
++
++'DNS_USE_LOCAL_RESOLVER = [true|false]'::
++	This option defines whether the local DNS resolver should
++	be used or not.
++
++	Basically, the option adds localhost to the list of nameservers
++	in link:resolv.conf[5].
++
++'DNS_SEARCH_DOMAINS ='::
++	This setting configures the search domains for DNS queries
++	made by the local system.
++
++'DNS_RANDOMIZE = [true|false]'::
++	This option will break the DNS server ranks and will query
++	them in a random order which is useful to load-balance
++	multiple DNS servers.
++
++AUTHORS
++-------
++Michael Tremer
++
++SEE ALSO
++--------
++link:network[8],
++link:network-settings[8]
+diff --git a/man/network-dns-server.xml b/man/network-dns-server.xml
+deleted file mode 100644
+index aec52d4..0000000
+--- a/man/network-dns-server.xml
++++ /dev/null
+@@ -1,203 +0,0 @@
+-<?xml version="1.0"?>
+-<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
+-	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+-
+-<refentry id="network-dns-server">
+-	<refentryinfo>
+-		<title>network-dns-server</title>
+-		<productname>network</productname>
+-
+-		<authorgroup>
+-			<author>
+-				<contrib>Developer</contrib>
+-				<firstname>Michael</firstname>
+-				<surname>Tremer</surname>
+-				<email>michael.tremer@ipfire.org</email>
+-			</author>
+-		</authorgroup>
+-	</refentryinfo>
+-
+-	<refmeta>
+-		<refentrytitle>network-dns-server</refentrytitle>
+-		<manvolnum>8</manvolnum>
+-	</refmeta>
+-
+-	<refnamediv>
+-		<refname>network-dns-server</refname>
+-		<refpurpose>Network Configuration Control Program</refpurpose>
+-	</refnamediv>
+-
+-	<refsynopsisdiv>
+-		<cmdsynopsis>
+-			<command>network dns-server <arg choice="plain">[add|remove]</arg> <arg choice="plain">SERVER</arg> [<arg choice="plain">PRIORITY</arg>]</command>
+-		</cmdsynopsis>
+-
+-		<cmdsynopsis>
+-			<command>network dns-server <arg choice="plain">[list|update]</arg></command>
+-		</cmdsynopsis>
+-	</refsynopsisdiv>
+-
+-	<refsect1>
+-		<title>Description</title>
+-
+-		<para>
+-			With help of the <command>dns-server</command> subcommand, you will
+-			be able to configure the local DNS configuration.
+-			DNS is short for Domain Name System.
+-		</para>
+-		<para>
+-			You may add and remove DNS servers as well as view the settings.
+-		</para>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Commands</title>
+-
+-		<para>
+-			The following commands are understood:
+-		</para>
+-
+-		<variablelist>
+-			<varlistentry>
+-				<term>
+-					<command>
+-						add
+-						<replaceable>SERVER</replaceable>
+-						[<replaceable>PRIORITY</replaceable>]
+-					</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						A new DNS server may be added to the list by the
+-						<command>add</command> command. A priority that will
+-						rank the server my optionally be given.
+-					</para>
+-					<para>
+-						<replaceable>SERVER</replaceable> must be a valid IP address
+-						and <replaceable>PRIORITY</replaceable> must be a positive
+-						integer number. The smaller this number, the higher is
+-						is the rank of the server.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command>
+-						remove
+-						<replaceable>SERVER</replaceable>
+-					</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						The given server will be removed from the list of
+-						DNS servers.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command>list</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Shows a list of all servers that are currently in use.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command>update</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						This command will re-create the system's configuration
+-						files. It should not be required to use this command
+-						very often.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-		</variablelist>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Variables</title>
+-
+-		<para>
+-			These variables may be set by using the <citerefentry>
+-				<refentrytitle>network-settings</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry> command.
+-		</para>
+-
+-		<variablelist>
+-			<varlistentry>
+-				<term>
+-					<varname>DNS_USE_LOCAL_RESOLVER</varname>=[<emphasis>true</emphasis>|false]
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						This option defines whether the local DNS resolver should
+-						be used or not.
+-					</para>
+-					<para>
+-						Basically, the option adds localhost to the list of
+-						nameservers in <citerefentry>
+-							<refentrytitle>resolv.conf</refentrytitle>
+-							<manvolnum>5</manvolnum>
+-						</citerefentry>.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<varname>DNS_SEARCH_DOMAINS</varname>=
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						This setting configures the search domains for DNS queries
+-						made by the local system.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<varname>DNS_RANDOMIZE</varname>=[true|<emphasis>false</emphasis>]
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						This option will break the DNS server ranks and will query
+-						them in a random order which is useful to load-balance
+-						multiple DNS servers.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-		</variablelist>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>See Also</title>
+-
+-		<para>
+-			<citerefentry>
+-				<refentrytitle>network</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>,
+-			<citerefentry>
+-				<refentrytitle>network-settings</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>
+-		</para>
+-	</refsect1>
+-</refentry>
+-- 
+2.39.2
+
diff --git a/network/patches/0072-man-Convert-network-performance-tuning-8-to-asciidoc.patch b/network/patches/0072-man-Convert-network-performance-tuning-8-to-asciidoc.patch
new file mode 100644
index 000000000..dd508342b
--- /dev/null
+++ b/network/patches/0072-man-Convert-network-performance-tuning-8-to-asciidoc.patch
@@ -0,0 +1,135 @@ 
+From c20f292770a6423c112b7f96d724bb13c4019d2a Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 30 Sep 2018 22:04:08 +0200
+Subject: [PATCH 072/304] man: Convert network-performance-tuning(8) to
+ asciidoc
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ man/network-performance-tuning.txt | 33 ++++++++++++++
+ man/network-performance-tuning.xml | 73 ------------------------------
+ 2 files changed, 33 insertions(+), 73 deletions(-)
+ create mode 100644 man/network-performance-tuning.txt
+ delete mode 100644 man/network-performance-tuning.xml
+
+diff --git a/man/network-performance-tuning.txt b/man/network-performance-tuning.txt
+new file mode 100644
+index 0000000..763ee21
+--- /dev/null
++++ b/man/network-performance-tuning.txt
+@@ -0,0 +1,33 @@
++network-performance-tuning(8)
++=============================
++
++NAME
++----
++network-performance-tuning - Performance Tuning for Networking
++
++DESCRIPTION
++-----------
++This page contains a summary of some performance tuning techniques
++that this system is using.
++
++=== SMP Affinity
++
++This system is automatically using SMP affinity for every physical
++network controller, if supported.
++
++A processor core is assigned to handle all interrupts of a certain
++network controller which will result in minimising cache misses,
++reducing network latency and quite possibly increasing throughput.
++
++The algorithm is trying to balance all network controllers across
++all processors.
++
++See /proc/interrups for the distribution of interrupts. 
++
++AUTHORS
++-------
++Michael Tremer
++
++SEE ALSO
++--------
++link:network[8]
+diff --git a/man/network-performance-tuning.xml b/man/network-performance-tuning.xml
+deleted file mode 100644
+index 898f142..0000000
+--- a/man/network-performance-tuning.xml
++++ /dev/null
+@@ -1,73 +0,0 @@
+-<?xml version="1.0"?>
+-<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
+-	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+-
+-<refentry id="network-performance-tuning">
+-	<refentryinfo>
+-		<title>network-performance-tuning</title>
+-		<productname>network</productname>
+-
+-		<authorgroup>
+-			<author>
+-				<contrib>Developer</contrib>
+-				<firstname>Michael</firstname>
+-				<surname>Tremer</surname>
+-				<email>michael.tremer@ipfire.org</email>
+-			</author>
+-		</authorgroup>
+-	</refentryinfo>
+-
+-	<refmeta>
+-		<refentrytitle>network-performance-tuning</refentrytitle>
+-		<manvolnum>8</manvolnum>
+-	</refmeta>
+-
+-	<refnamediv>
+-		<refname>network-performance-tuning</refname>
+-		<refpurpose>Network Configuration Control Program</refpurpose>
+-	</refnamediv>
+-
+-	<refsect1>
+-		<title>Description</title>
+-
+-		<para>
+-			This page contains a summary of some performance tuning techniques
+-			that this system is using.
+-		</para>
+-	</refsect1>
+-
+-	<refsect2>
+-		<title>SMP Affinity</title>
+-
+-		<para>
+-			This system is automatically using SMP affinity for every physical
+-			network controller, if supported.
+-		</para>
+-
+-		<para>
+-			A processor core is assigned to handle all interrupts of a certain
+-			network controller which will result in minimising cache misses,
+-			reducing network latency and quite possibly increasing throughput.
+-		</para>
+-
+-		<para>
+-			The algorithm is trying to balance all network controllers across
+-			all processors.
+-		</para>
+-
+-		<para>
+-			See /proc/interrups for the distribution of interrupts. 
+-		</para>
+-	</refsect2>
+-
+-	<refsect1>
+-		<title>See Also</title>
+-
+-		<para>
+-			<citerefentry>
+-				<refentrytitle>network</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>
+-		</para>
+-	</refsect1>
+-</refentry>
+-- 
+2.39.2
+
diff --git a/network/patches/0073-man-Convert-network-port-8-to-asciidoc.patch b/network/patches/0073-man-Convert-network-port-8-to-asciidoc.patch
new file mode 100644
index 000000000..d892b4ff7
--- /dev/null
+++ b/network/patches/0073-man-Convert-network-port-8-to-asciidoc.patch
@@ -0,0 +1,370 @@ 
+From 065346332054e3b2be85bee3f6d71a3dc34d6275 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 30 Sep 2018 22:27:40 +0200
+Subject: [PATCH 073/304] man: Convert network-port(8) to asciidoc
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ man/network-port.txt |  97 +++++++++++++++++
+ man/network-port.xml | 245 -------------------------------------------
+ 2 files changed, 97 insertions(+), 245 deletions(-)
+ create mode 100644 man/network-port.txt
+ delete mode 100644 man/network-port.xml
+
+diff --git a/man/network-port.txt b/man/network-port.txt
+new file mode 100644
+index 0000000..08b9e90
+--- /dev/null
++++ b/man/network-port.txt
+@@ -0,0 +1,97 @@
++network-port(8)
++===============
++
++NAME
++----
++network-port - Controls Network Ports
++
++SYNOPSIS
++--------
++[verse]
++'network port' new HOOK ...
++'network port' destroy PORT
++'network port' PORT color
++'network port' PORT create
++'network port' PORT description edit
++'network port' PORT description show
++'network port' PORT down
++'network port' PORT edit ...
++'network port' PORT identify
++'network port' PORT remove
++'network port' PORT status
++'network port' PORT up
++
++DESCRIPTION
++-----------
++This command creates, deletes, changes and views the configuration
++and status of ports.
++
++NOTE: A port is a physical or virtual device that is directly connected
++to an other network. It connects those and zones together.
++The 'network device' command shows status information of network devices
++and other things.
++
++COMMANDS
++--------
++The following commands are understood:
++
++'new' HOOK ...::
++	A new port may be created with this command.
++	HOOK must be a valid hook which may require more options.
++
++'destroy' PORT::
++	Destroys the port PORT.
++	The port is removed from any zones it is attached to and shut down.
++
++For all other commands, the name of the port needs to be passed first:
++
++'color'::
++	This command allows settings a color for a port.
++	See link:network-color[8] for more information.
++
++'create'::
++	This will create devices for the existing port PORT.
++
++	This does not create a new port. It will just create the (possibly
++	virtual) interface this port (i.e. create an interface for a WiFi
++	module or a VLAN device).
++
++	The interface is not brought up. Use the 'up' command to do that.
++
++include::include-description.txt[]
++
++'down'::
++	Shuts down the port.
++
++'edit'::
++	This command can be used to alter the configuration of a port.
++	Consult the documentation of the port hook to find out what is supported.
++
++'identify'::
++	This command will make the port flash for a few seconds
++	so that you can identify the correct network adapters
++	in the system.
++
++	This is not supported by all network adapters.
++
++'remove'::
++	This will remove an existing PORT.
++
++	This does not destroy the port. It inverses the operation performed
++	by the 'create' command.
++
++'status'::
++	This will show some detailed information about the status
++	of the specified port.
++
++'up'::
++	Brings up the port. It has to be created first.
++
++AUTHORS
++-------
++Michael Tremer
++
++SEE ALSO
++--------
++link:network[8],
++link:network-zone[8]
+diff --git a/man/network-port.xml b/man/network-port.xml
+deleted file mode 100644
+index 5c0a8ae..0000000
+--- a/man/network-port.xml
++++ /dev/null
+@@ -1,245 +0,0 @@
+-<?xml version="1.0"?>
+-<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
+-	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+-
+-<refentry id="network-port">
+-	<refentryinfo>
+-		<title>network-port</title>
+-		<productname>network</productname>
+-
+-		<authorgroup>
+-			<author>
+-				<contrib>Developer</contrib>
+-				<firstname>Michael</firstname>
+-				<surname>Tremer</surname>
+-				<email>michael.tremer@ipfire.org</email>
+-			</author>
+-		</authorgroup>
+-	</refentryinfo>
+-
+-	<refmeta>
+-		<refentrytitle>network-port</refentrytitle>
+-		<manvolnum>8</manvolnum>
+-	</refmeta>
+-
+-	<refnamediv>
+-		<refname>network-port</refname>
+-		<refpurpose>Network Configuration Control Program</refpurpose>
+-	</refnamediv>
+-
+-	<refsynopsisdiv>
+-		<cmdsynopsis>
+-			<command>network port <arg choice="plain">[new|destroy]</arg> <replaceable>PORT</replaceable> ...</command>
+-		</cmdsynopsis>
+-
+-		<cmdsynopsis>
+-			<command>network port <replaceable>PORT</replaceable> <arg choice="plain">command</arg> ...</command>
+-		</cmdsynopsis>
+-	</refsynopsisdiv>
+-
+-	<refsect1>
+-		<title>Description</title>
+-
+-		<para>
+-			With help of the <command>port</command> command, you can create, delete,
+-			change and view the configuration and status of ports.
+-		</para>
+-
+-		<para>
+-			A port is a physical or virtual device that is directly connected
+-			to an other network. If connects those and zones together.
+-		</para>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Commands</title>
+-
+-		<para>
+-			The following commands are understood:
+-		</para>
+-
+-		<variablelist>
+-			<varlistentry>
+-				<term>
+-					<command>new <replaceable>HOOK</replaceable> <arg choice="opt" rep="repeat">ARGUMENTS</arg></command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						A new port may be created by the <command>new</command>
+-						command.
+-					</para>
+-					<para>
+-						<replaceable>HOOK</replaceable> must be a valid
+-						hook which may require more <replaceable>ARGUMENTS</replaceable>.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command>destroy <replaceable>PORT</replaceable></command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						A port can be destroyed with this command.
+-					</para>
+-					<para>
+-						The port is removed from any zones it is attached
+-						to and shut down.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-		</variablelist>
+-
+-		<para>
+-			For all other commands, the name of the port needs to be passed first:
+-		</para>
+-
+-		<variablelist>
+-			<varlistentry>
+-				<term>
+-					<command><replaceable>PORT</replaceable> create</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						This will create an existing <replaceable>PORT</replaceable>.
+-					</para>
+-					<para>
+-						This does not create a new port. It will just create the (possibly
+-						virtual) interface this port (i.e. create an interface for a WiFi
+-						module or a VLAN device).
+-					</para>
+-					<para>
+-						The interface is not brought up. Use the <command>up</command> command
+-						to do that.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command><replaceable>PORT</replaceable> remove</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						This will remove an existing <replaceable>PORT</replaceable>.
+-					</para>
+-					<para>
+-						This does not destroy the port. It inverses the operation performed
+-						by the <command>create</command> command.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command><replaceable>PORT</replaceable> [up|down]</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						These commands will bring the port up or down. It has to be
+-						created first.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-			<varlistentry>
+-				<term>
+-					<command><replaceable>PORT</replaceable> color</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						This command allows settings a color for a port.
+-						See
+-						<citerefentry>
+-						<refentrytitle>network-color</refentrytitle>
+-						<manvolnum>8</manvolnum>
+-						</citerefentry>
+-						for more information.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-			<varlistentry>
+-				<term>
+-					<command><replaceable>PORT</replaceable>description</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						This command allows you to add a description to a port.
+-						See
+-						<citerefentry>
+-						<refentrytitle>network-description</refentrytitle>
+-						<manvolnum>8</manvolnum>,
+-						</citerefentry>
+-						for more information.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-			<varlistentry>
+-				<term>
+-					<command><replaceable>PORT</replaceable> edit <arg choice="opt" rep="repeat">ARGUMENTS</arg></command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						The <command>edit</command> command can be used to alter
+-						the configuration of a port. Consult the documentation of the
+-						port hook to find out which <replaceable>ARGUMENTS</replaceable>
+-						are supported.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command><replaceable>PORT</replaceable> status</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						This will show some detailed information about the state
+-						if the specified port.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command><replaceable>PORT</replaceable> identify</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						This command will make the port flash for a few seconds
+-						so that you can identify the correct network adapters
+-						in the system.
+-					</para>
+-					<para>
+-						This is not supported by all network adapters.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-		</variablelist>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>See Also</title>
+-
+-		<para>
+-			<citerefentry>
+-				<refentrytitle>network</refentrytitle>
+-				<manvolnum>8</manvolnum>,
+-			</citerefentry>
+-			<citerefentry>
+-				<refentrytitle>network-zone</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>
+-		</para>
+-	</refsect1>
+-</refentry>
+-- 
+2.39.2
+
diff --git a/network/patches/0074-man-Converting-network-quick-start-8-to-asciidoc.patch b/network/patches/0074-man-Converting-network-quick-start-8-to-asciidoc.patch
new file mode 100644
index 000000000..8f99ad13a
--- /dev/null
+++ b/network/patches/0074-man-Converting-network-quick-start-8-to-asciidoc.patch
@@ -0,0 +1,275 @@ 
+From 27b9807e568edee69afa758481be164662770901 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 30 Sep 2018 22:40:35 +0200
+Subject: [PATCH 074/304] man: Converting network-quick-start(8) to asciidoc
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ man/network-quick-start.txt |  92 +++++++++++++++++++++
+ man/network-quick-start.xml | 155 ------------------------------------
+ 2 files changed, 92 insertions(+), 155 deletions(-)
+ create mode 100644 man/network-quick-start.txt
+ delete mode 100644 man/network-quick-start.xml
+
+diff --git a/man/network-quick-start.txt b/man/network-quick-start.txt
+new file mode 100644
+index 0000000..02ebfe0
+--- /dev/null
++++ b/man/network-quick-start.txt
+@@ -0,0 +1,92 @@
++network-quick-start(8)
++======================
++
++NAME
++----
++network-quick-start - Quick Start Guide for Networking
++
++DESCRIPTION
++-----------
++The link:network[8] is a very powerful command that allows you to configure
++the entire networking stack.
++Unfortunately that makes it quite complicated to use as well.
++
++This guide tries to be a good starting point to set up basic networking with
++the 'network' command.
++
++=== Adding an Uplink Zone
++
++The first step is to create a new uplink zone with name 'upl0'.
++
++This zone will be of the link:network-zone-bridge[8] type which is the default
++for all local networks.
++
++------------
++# network zone new upl0 bridge
++------------
++
++The zone will be created and brought up immediately.
++
++=== Attaching Ports
++
++To connect the zone to the physical world outside of our box we will need
++to attach ports to the zone. That is done with a single command.
++To execute this command, we will need to know which ports are available.
++One of the easiest way to find out about that is to use the auto-completion
++feature of the shell like this:
++
++------------
++# network zone upl0 port attach [TAB] [TAB]
++------------
++
++That will list all not yet attached ports. The following command will actually
++attach the port (which is 'p0' in this example).
++
++-----------
++# network zone upl0 port attach p0
++-----------
++
++You can as well get a list of all detected devices, zones and ports by running:
++
++-----------
++# network device list
++-----------
++
++To a zone of the 'bridge' type you may attach more than just one port if you
++wish to.
++
++=== IP Connectivity
++
++After a zone has been created and ports have been attached, you are now
++able to add IP connectivity.
++
++The easiest way to do that is using DHCP which can be enabled by this simple command:
++
++------------
++# network zone upl0 config new dhcp
++------------
++
++=== Debugging
++
++You may see the current status of the network by running this command:
++
++------------
++# network status
++------------
++
++The entire network can be restarted by running:
++
++------------
++# network restart
++------------
++
++AUTHORS
++-------
++Michael Tremer
++
++SEE ALSO
++--------
++link:network[8],
++link:network-device[8],
++link:network-port[8],
++link:network-zone[8]
+diff --git a/man/network-quick-start.xml b/man/network-quick-start.xml
+deleted file mode 100644
+index ea79700..0000000
+--- a/man/network-quick-start.xml
++++ /dev/null
+@@ -1,155 +0,0 @@
+-<?xml version="1.0"?>
+-<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
+-	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+-
+-<refentry id="network">
+-	<refentryinfo>
+-		<title>network-quick-start</title>
+-		<productname>network</productname>
+-
+-		<authorgroup>
+-			<author>
+-				<contrib>Developer</contrib>
+-				<firstname>Michael</firstname>
+-				<surname>Tremer</surname>
+-				<email>michael.tremer@ipfire.org</email>
+-			</author>
+-		</authorgroup>
+-	</refentryinfo>
+-
+-	<refmeta>
+-		<refentrytitle>network-quick-start</refentrytitle>
+-		<manvolnum>8</manvolnum>
+-	</refmeta>
+-
+-	<refnamediv>
+-		<refname>network-quick-start</refname>
+-		<refpurpose>Network Configuration Control Program</refpurpose>
+-	</refnamediv>
+-
+-	<refsect1>
+-		<title>Quick Start Guide</title>
+-
+-		<para>
+-			The <command>network</command> is a very powerful command that allows
+-			you to configure the entire networking stack. Unfortunately that makes
+-			it quite complicated to use as well.
+-			This guide tries to be a good starting point to set up basic networking
+-			with the <command>network</command> command.
+-		</para>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Add an uplink zone</title>
+-
+-		<para>
+-			The first step is to create a new uplink zone with name
+-			<replaceable>upl0</replaceable>.
+-			This zone will be of the <replaceable>bridge</replaceable> type which is
+-			the default for all local networks.
+-		</para>
+-
+-		<programlisting># network zone new <replaceable>upl0</replaceable> <replaceable>bridge</replaceable></programlisting>
+-
+-		<para>
+-			The zone will be created and brought up immediately.
+-		</para>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Attaching ports</title>
+-
+-		<para>
+-			To connect the zone to the physical world outside of our box we will need
+-			to attach ports to the zone.
+-			That is done with a single command.
+-			To execute this command, we will need to know which ports are available.
+-			One of the easiest way to find out about that is to use the auto-completion
+-			feature of the shell like this:
+-		</para>
+-
+-		<programlisting># network zone <replaceable>upl0</replaceable> port attach [TAB] [TAB]</programlisting>
+-
+-		<para>
+-			That will list all not yet attached ports.
+-			The following command will actually attach the port
+-			(which is <replaceable>p0</replaceable> in this example).
+-		</para>
+-
+-		<programlisting># network zone <replaceable>upl0</replaceable> port attach <replaceable>p0</replaceable></programlisting>
+-
+-		<para>
+-			You can as well get a list of all detected devices,
+-			zones and ports by running:
+-		</para>
+-
+-		<programlisting># network device list</programlisting>
+-
+-		<para>
+-			To a zone of the <replaceable>bridge</replaceable> type you may attach more
+-			than just one port if you wish so.
+-		</para>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>IP connectivity</title>
+-
+-		<para>
+-			After a zone has been created and ports have been attached, you are now
+-			able to add IP connectivity.
+-			The easiest way to do that is using DHCP which can be enabled by this
+-			simple command:
+-		</para>
+-
+-		<programlisting># network zone <replaceable>upl0</replaceable> config new <replaceable>ipv6-dhcp</replaceable></programlisting>
+-
+-		<para>
+-			And for IPv4:
+-		</para>
+-
+-		<programlisting># network zone <replaceable>upl0</replaceable> config new <replaceable>ipv4-dhcp</replaceable></programlisting>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Debugging</title>
+-
+-		<para>
+-			You may see the current status of the network by running this command:
+-		</para>
+-
+-		<programlisting># network status</programlisting>
+-
+-		<para>
+-			The entire network can be restarted by running:
+-		</para>
+-
+-		<programlisting># network restart</programlisting>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>See Also</title>
+-
+-		<para>
+-			<citerefentry>
+-				<refentrytitle>network</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>,
+-			<citerefentry>
+-				<refentrytitle>network-config</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>,
+-			<citerefentry>
+-				<refentrytitle>network-device</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>,
+-			<citerefentry>
+-				<refentrytitle>network-port</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>,
+-			<citerefentry>
+-				<refentrytitle>network-zone</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>
+-		</para>
+-	</refsect1>
+-</refentry>
+-- 
+2.39.2
+
diff --git a/network/patches/0075-man-Use-include-for-color-commands.patch b/network/patches/0075-man-Use-include-for-color-commands.patch
new file mode 100644
index 000000000..eccd76aec
--- /dev/null
+++ b/network/patches/0075-man-Use-include-for-color-commands.patch
@@ -0,0 +1,55 @@ 
+From d28ccf91678256bc299fed2c10b066682487b1e9 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 30 Sep 2018 22:53:20 +0200
+Subject: [PATCH 075/304] man: Use include for color commands
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ man/include-color.txt | 9 +++++++++
+ man/network-port.txt  | 7 +++----
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+ create mode 100644 man/include-color.txt
+
+diff --git a/man/include-color.txt b/man/include-color.txt
+new file mode 100644
+index 0000000..073c01b
+--- /dev/null
++++ b/man/include-color.txt
+@@ -0,0 +1,9 @@
++'color set <color>'::
++	The color is set with this command and required to be passed in
++	RGB hex formatting
++
++	NOTE: The color is being used to make identification of network devices
++	easier on the command line and web user interface.
++
++'color reset'::
++	Resets the color to blank.
+diff --git a/man/network-port.txt b/man/network-port.txt
+index 08b9e90..0c26f33 100644
+--- a/man/network-port.txt
++++ b/man/network-port.txt
+@@ -10,7 +10,8 @@ SYNOPSIS
+ [verse]
+ 'network port' new HOOK ...
+ 'network port' destroy PORT
+-'network port' PORT color
++'network port' PORT color set <color>
++'network port' PORT color reset
+ 'network port' PORT create
+ 'network port' PORT description edit
+ 'network port' PORT description show
+@@ -45,9 +46,7 @@ The following commands are understood:
+ 
+ For all other commands, the name of the port needs to be passed first:
+ 
+-'color'::
+-	This command allows settings a color for a port.
+-	See link:network-color[8] for more information.
++include::include-color.txt[]
+ 
+ 'create'::
+ 	This will create devices for the existing port PORT.
+-- 
+2.39.2
+
diff --git a/network/patches/0076-man-Drop-old-network-color-8-man-page.patch b/network/patches/0076-man-Drop-old-network-color-8-man-page.patch
new file mode 100644
index 000000000..a670acfb6
--- /dev/null
+++ b/network/patches/0076-man-Drop-old-network-color-8-man-page.patch
@@ -0,0 +1,72 @@ 
+From 7c329515f1e23231c315d41b55c4d9bea58c7d1c Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 30 Sep 2018 22:54:02 +0200
+Subject: [PATCH 076/304] man: Drop old network-color(8) man page
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ Makefile.am           |  1 -
+ man/network-color.txt | 39 ---------------------------------------
+ 2 files changed, 40 deletions(-)
+ delete mode 100644 man/network-color.txt
+
+diff --git a/Makefile.am b/Makefile.am
+index 287a111..26f2e9c 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -455,7 +455,6 @@ INSTALL_DIRS += \
+ MANPAGES = \
+ 	man/firewall-settings.8 \
+ 	man/network.8 \
+-	man/network-color.8 \
+ 	man/network-device.8 \
+ 	man/network-dhcp.8 \
+ 	man/network-dns-server.8 \
+diff --git a/man/network-color.txt b/man/network-color.txt
+deleted file mode 100644
+index f3be474..0000000
+--- a/man/network-color.txt
++++ /dev/null
+@@ -1,39 +0,0 @@
+-network-color(8)
+-================
+-
+-NAME
+-----
+-network-color - Allows assigning a color to a zone or port
+-
+-SYNOPSIS
+---------
+-[verse]
+-'network' [zone ZONE|port PORT] color set AABBCC
+-'network' [zone ZONE|port PORT] reset
+-
+-DESCRIPTION
+------------
+-The 'color' command helps to manage colors for zones and ports.
+-The color is being used to make identification of a zone or port easier on the
+-command line and web user interface.
+-
+-COMMANDS
+---------
+-The following commands are understood:
+-
+-'set' [AABBCC]::
+-	The color of a zone or port is set with the 'set' command.
+-	It is required to pass a color in hex formatting.
+-
+-'reset'::
+-	Resets the color of a zone or port to blank.
+-
+-AUTHOR
+-------
+-Jonatan Schlag
+-
+-SEE ALSO
+---------
+-link:network[8]
+-link:network-zone[8]
+-link:network-port[8]
+-- 
+2.39.2
+
diff --git a/network/patches/0077-man-Fix-page-headers.patch b/network/patches/0077-man-Fix-page-headers.patch
new file mode 100644
index 000000000..ccf34d48b
--- /dev/null
+++ b/network/patches/0077-man-Fix-page-headers.patch
@@ -0,0 +1,38 @@ 
+From ec3a18b8cf262977d6fd73cee231338ce1b96ffd Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 30 Sep 2018 22:55:51 +0200
+Subject: [PATCH 077/304] man: Fix page headers
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ man/network-device.txt | 4 ++--
+ man/network-dhcp.txt   | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/man/network-device.txt b/man/network-device.txt
+index 33fcefa..4f1c1b0 100644
+--- a/man/network-device.txt
++++ b/man/network-device.txt
+@@ -1,5 +1,5 @@
+-network(8)
+-==========
++network-device(8)
++=================
+ 
+ NAME
+ ----
+diff --git a/man/network-dhcp.txt b/man/network-dhcp.txt
+index a448619..bcb768e 100644
+--- a/man/network-dhcp.txt
++++ b/man/network-dhcp.txt
+@@ -1,5 +1,5 @@
+-network(8)
+-==========
++network-dhcp(8)
++===============
+ 
+ NAME
+ ----
+-- 
+2.39.2
+
diff --git a/network/patches/0078-man-Convert-network-route-8-to-asciidoc.patch b/network/patches/0078-man-Convert-network-route-8-to-asciidoc.patch
new file mode 100644
index 000000000..b2030772a
--- /dev/null
+++ b/network/patches/0078-man-Convert-network-route-8-to-asciidoc.patch
@@ -0,0 +1,157 @@ 
+From 70172845e300fb2bf491d471224bd087b0c4e0f4 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 31 Mar 2019 15:08:46 +0200
+Subject: [PATCH 078/304] man: Convert network-route(8) to asciidoc
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ man/network-route.txt | 32 ++++++++++++++
+ man/network-route.xml | 97 -------------------------------------------
+ 2 files changed, 32 insertions(+), 97 deletions(-)
+ create mode 100644 man/network-route.txt
+ delete mode 100644 man/network-route.xml
+
+diff --git a/man/network-route.txt b/man/network-route.txt
+new file mode 100644
+index 0000000..bf3ddb4
+--- /dev/null
++++ b/man/network-route.txt
+@@ -0,0 +1,32 @@
++network-route(8)
++================
++
++NAME
++----
++network-route - Manage Routing
++
++SYNOPSIS
++--------
++[verse]
++'network route' COMMAND ...
++
++DESCRIPTION
++-----------
++This command helps to manage routes.
++
++COMMANDS
++--------
++The following commands are understood:
++
++'static' ...::
++	Static routes are managed by the 'static' command followed by the options
++	for static routes which are described in link:network-route-static[8]
++
++AUTHORS
++-------
++Michael Tremer
++
++SEE ALSO
++--------
++link:network[8],
++link:network-route-static[8]
+diff --git a/man/network-route.xml b/man/network-route.xml
+deleted file mode 100644
+index 207a5ce..0000000
+--- a/man/network-route.xml
++++ /dev/null
+@@ -1,97 +0,0 @@
+-<?xml version="1.0"?>
+-<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
+-	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+-
+-<refentry id="network-route">
+-	<refentryinfo>
+-		<title>network-route</title>
+-		<productname>network</productname>
+-
+-		<authorgroup>
+-			<author>
+-				<contrib>Developer</contrib>
+-				<firstname>Michael</firstname>
+-				<surname>Tremer</surname>
+-				<email>michael.tremer@ipfire.org</email>
+-			</author>
+-		</authorgroup>
+-	</refentryinfo>
+-
+-	<refmeta>
+-		<refentrytitle>network-route</refentrytitle>
+-		<manvolnum>8</manvolnum>
+-	</refmeta>
+-
+-	<refnamediv>
+-		<refname>network-route</refname>
+-		<refpurpose>Network Configuration Control Program</refpurpose>
+-	</refnamediv>
+-
+-	<refsynopsisdiv>
+-		<cmdsynopsis>
+-			<command>network route <arg choice="plain">COMMAND</arg></command>
+-		</cmdsynopsis>
+-	</refsynopsisdiv>
+-
+-	<refsect1>
+-		<title>Description</title>
+-
+-		<para>
+-			The <command>route</command> helps to manage routes.
+-		</para>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Commands</title>
+-
+-		<para>
+-			The following commands are understood:
+-		</para>
+-
+-		<variablelist>
+-			<varlistentry>
+-				<term>
+-					<command>static</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Static routes are managed by the <command>static</command> command
+-						followed by the options for static routes which are described in:
+-						<citerefentry>
+-							<refentrytitle>network-route-static</refentrytitle>
+-							<manvolnum>8</manvolnum>
+-						</citerefentry>
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-	</variablelist>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Route Types</title>
+-
+-		<refsect2>
+-			<title>static</title>
+-
+-			<para>
+-				A static route is a route which does not change when the network changes.
+-			</para>
+-		</refsect2>
+-</refsect1>
+-
+-	<refsect1>
+-		<title>See Also</title>
+-
+-		<para>
+-			<citerefentry>
+-				<refentrytitle>network</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>,
+-			<citerefentry>
+-				<refentrytitle>network-route-static</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>
+-		</para>
+-	</refsect1>
+-</refentry>
+-- 
+2.39.2
+
diff --git a/network/patches/0079-.gitignore-Ignore-DS_Store.patch b/network/patches/0079-.gitignore-Ignore-DS_Store.patch
new file mode 100644
index 000000000..010ed44d1
--- /dev/null
+++ b/network/patches/0079-.gitignore-Ignore-DS_Store.patch
@@ -0,0 +1,26 @@ 
+From 82003431a4998e04e0e67f12ee6c3b6e5e802901 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 31 Mar 2019 15:10:49 +0200
+Subject: [PATCH 079/304] .gitignore: Ignore DS_Store
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ .gitignore | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/.gitignore b/.gitignore
+index 36c85a1..bb093d3 100644
+--- a/.gitignore
++++ b/.gitignore
+@@ -14,6 +14,8 @@
+ /*.tar.bz2
+ /*.tar.gz
+ /*.tar.xz
++.DS_Store
++._.DS_Store
+ *.log
+ *.cache
+ *.la
+-- 
+2.39.2
+
diff --git a/network/patches/0080-man-Convert-network-route-static-8-to-asciidoc.patch b/network/patches/0080-man-Convert-network-route-static-8-to-asciidoc.patch
new file mode 100644
index 000000000..8d2f01413
--- /dev/null
+++ b/network/patches/0080-man-Convert-network-route-static-8-to-asciidoc.patch
@@ -0,0 +1,280 @@ 
+From d715390e9b1c4cc72bd22b915a842acc96912108 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 31 Mar 2019 15:34:19 +0200
+Subject: [PATCH 080/304] man: Convert network-route-static(8) to asciidoc
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ man/network-route-static.txt |  69 +++++++++++++
+ man/network-route-static.xml | 183 -----------------------------------
+ 2 files changed, 69 insertions(+), 183 deletions(-)
+ create mode 100644 man/network-route-static.txt
+ delete mode 100644 man/network-route-static.xml
+
+diff --git a/man/network-route-static.txt b/man/network-route-static.txt
+new file mode 100644
+index 0000000..d4774b2
+--- /dev/null
++++ b/man/network-route-static.txt
+@@ -0,0 +1,69 @@
++= network-route-static(8)
++Michael Tremer <michael.tremer@ipfire.org>
++
++== NAME
++network-route - Manage Static Routing
++
++== SYNOPSIS
++[verse]
++'network route static' COMMAND ...
++'network route static add' NETWORK [--gateway=GATEWAY,--unreachable,--prohibit,--blackhole] [--mtu=MTU]
++'network route static remove' NETWORK
++'network route static list' [--protocol=ipv6|ipv4]
++
++== DESCRIPTION
++This command helps to manage routes.
++
++== COMMANDS
++The following commands are understood:
++
++'add' NETWORK ...::
++	A new route may be added by the 'add' command. It is required to pass a
++	valid network prefix NETWORK, which can be either IPv6 or IPv4.
++	+
++	For unicast routes, the '--gateway=GATEWAY' option must be passed, where
++	GATEWAY is a valid IP address of the same protocol type as the network
++	prefix is.
++	+
++	Use '--unreachable', '--prohibit', '--blackhole' can be used to create of
++	that type. See ROUTE TYPES below for more information about these options.
++	+
++	The optional '--mtu=MTU' parameter defines the MTU along the path to the
++	destination and must be an integer number. This will show you very
++	detailed information about the given device.
++
++'remove' NETWORK::
++	A route can be removed with this command.
++	+
++	NETWORK is the network prefix of an existing route.
++
++'list'::
++	Shows a list of all configured routes.
++	+
++	Output can be filtered by passing --protocol=[ipv6|ipv4].
++
++== ROUTE TYPES
++
++[horizontal]
++'unicast'::
++	A unicast route is the most common route in routing tables. It is a route to
++	a destination network address, which describes the path to the destination.
++	Use the '--gateway=GATEWAY' option to create such a route.
++
++'unreachable'::
++	When a route is determined and the routing decision process returns a
++	destination with an unreachable route type, an ICMP unreachable message is
++	generated and returned to the source address.
++
++'prohibit'::
++	This works like an _unreachable_ route, but the returned ICMP message is an
++	ICMP prohibited message.
++
++'blackhole'::
++	Packets matching this kind of route are silently discarded.
++	There will be no ICMP message sent to the source and no packet be forwarded.
++
++== SEE ALSO
++link:network[8],
++link:network-route[8],
++link:ip-route[8]
+diff --git a/man/network-route-static.xml b/man/network-route-static.xml
+deleted file mode 100644
+index d43eb62..0000000
+--- a/man/network-route-static.xml
++++ /dev/null
+@@ -1,183 +0,0 @@
+-<?xml version="1.0"?>
+-<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
+-	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+-
+-<refentry id="network-route-static">
+-	<refentryinfo>
+-		<title>network-route-static</title>
+-		<productname>network</productname>
+-
+-		<authorgroup>
+-			<author>
+-				<contrib>Developer</contrib>
+-				<firstname>Michael</firstname>
+-				<surname>Tremer</surname>
+-				<email>michael.tremer@ipfire.org</email>
+-			</author>
+-		</authorgroup>
+-	</refentryinfo>
+-
+-	<refmeta>
+-		<refentrytitle>network-route-static</refentrytitle>
+-		<manvolnum>8</manvolnum>
+-	</refmeta>
+-
+-	<refnamediv>
+-		<refname>network-route-static</refname>
+-		<refpurpose>Network Configuration Control Program</refpurpose>
+-	</refnamediv>
+-
+-	<refsynopsisdiv>
+-		<cmdsynopsis>
+-			<command>network route static <arg choice="plain">COMMAND</arg></command>
+-		</cmdsynopsis>
+-	</refsynopsisdiv>
+-
+-	<refsect1>
+-		<title>Description</title>
+-
+-		<para>
+-			The <command>route static</command> helps to manage static routes.
+-		</para>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Commands</title>
+-
+-		<para>
+-			The following commands are understood:
+-		</para>
+-
+-		<variablelist>
+-			<varlistentry>
+-				<term>
+-					<command>add <replaceable>NETWORK</replaceable> [<option>--gateway=GATEWAY</option>, <option>--unreachable</option>, <option>--prohibit</option>, <option>--blackhole</option>] [<option>--mtu=MTU</option>]</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						A new route may be added by the <command>add</command> command.
+-						It is always required to pass a valid network prefix
+-						<replaceable>NETWORK</replaceable>, which can be either
+-						IPv6 or IPv4.
+-					</para>
+-					<para>
+-						For unicast routes, the <option>--gateway=GATEWAY</option>
+-						option must be passed, where <varname>GATEWAY</varname>
+-						is a valid IP address of the same protocol type as the
+-						network prefix is.
+-					</para>
+-					<para>
+-						Use <option>--unreachable</option>, <option>--prohibit</option>,
+-						<option>--blackhole</option> can be used to create of that
+-						type. See <emphasis>ROUTE TYPES</emphasis> below for more
+-						information about these options.
+-					</para>
+-					<para>
+-						The optional <option>--mtu=MTU</option> parameter defines the
+-						MTU along the path to the destination and must be an integer
+-						number. This will show you very detailed information about
+-						the given device.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command>remove <replaceable>NETWORK</replaceable></command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						A route can be removed with the command.
+-					</para>
+-					<para>
+-						<replaceable>NETWORK</replaceable> is the network prefix
+-						of an existing route.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command>list [<option>--protocol=ipv6|ipv4</option>]</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Shows a list of all configured routes.
+-					</para>
+-					<para>
+-						Pass the protocol option to filter the output only for the
+-						given protocol.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-		</variablelist>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Route Types</title>
+-
+-		<refsect2>
+-			<title>unicast</title>
+-
+-			<para>
+-				A unicast route is the most common route in routing tables.
+-				It is a route to a destination network address, which describes
+-				the path to the destination.
+-				Use the <option>--gateway=GATEWAY</option> option to create such
+-				a route.
+-			</para>
+-		</refsect2>
+-
+-		<refsect2>
+-			<title>unreachable</title>
+-
+-			<para>
+-				When a route is determined and the routing decision process
+-				returns a destination with an unreachable route type, an ICMP
+-				unreachable message is generated and returned to the source
+-				address.
+-			</para>
+-		</refsect2>
+-
+-		<refsect2>
+-			<title>prohibit</title>
+-
+-			<para>
+-				This works like an <emphasis>unreachable</emphasis> route, but
+-				the returned ICMP message is an ICMP prohibited message.
+-			</para>
+-		</refsect2>
+-
+-		<refsect2>
+-			<title>blackhole</title>
+-
+-			<para>
+-				Packets matching this kind of route are silently discarded.
+-				There will be no ICMP message sent to the source and no packet
+-				be forwarded.
+-			</para>
+-		</refsect2>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>See Also</title>
+-
+-		<para>
+-			<citerefentry>
+-				<refentrytitle>network</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>,
+-			<citerefentry>
+-				<refentrytitle>network-route</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>,
+-			<citerefentry>
+-				<refentrytitle>ip-route</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>
+-		</para>
+-	</refsect1>
+-</refentry>
+-- 
+2.39.2
+
diff --git a/network/patches/0081-man-Convert-network-settings-8-to-asciidoc.patch b/network/patches/0081-man-Convert-network-settings-8-to-asciidoc.patch
new file mode 100644
index 000000000..f0e629f46
--- /dev/null
+++ b/network/patches/0081-man-Convert-network-settings-8-to-asciidoc.patch
@@ -0,0 +1,190 @@ 
+From daebec37ca3cd19e000d1a9c1a77448d8c155fcd Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 31 Mar 2019 15:47:14 +0200
+Subject: [PATCH 081/304] man: Convert network-settings(8) to asciidoc
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ man/network-settings.txt |  44 +++++++++++++++
+ man/network-settings.xml | 118 ---------------------------------------
+ 2 files changed, 44 insertions(+), 118 deletions(-)
+ create mode 100644 man/network-settings.txt
+ delete mode 100644 man/network-settings.xml
+
+diff --git a/man/network-settings.txt b/man/network-settings.txt
+new file mode 100644
+index 0000000..e77f038
+--- /dev/null
++++ b/man/network-settings.txt
+@@ -0,0 +1,44 @@
++= network-settings(8)
++Michael Tremer <michael.tremer@ipfire.org>
++
++== NAME
++network-settings - Change global network settings
++
++== SYNOPSIS
++'network settings'
++'network settings' KEY=VALUE
++
++== DESCRIPTION
++The 'network settings' command may be used to set global settings.
++
++Please have a look at the individual man pages for more options.
++
++== COMMANDS
++If no additional argument is given, running the command will dump a list of
++all settings variables and their current values.
++
++You may set a new value by adding the variable name and the new
++value to the command line.
++
++== VARIABLES
++
++'DEBUG=[true|_false_]'::
++	The DEBUG will control whether debug logging is enabled or not.
++	Additionally to writing debug log messages to the log files, the messages
++	will be displayed on the console as well.
++
++'WIRELESS_REGULATORY_DOMAIN=_00_'::
++	The wireless regulatory domain is set globally for the entire system with
++	the WIRELESS_REGULATORY_DOMAIN setting.
++	+
++	The default is '00' which is the _world_ setting.
++	+
++	Valid values are country codes for countries which have their own
++	regulatory domain.
++
++== AUTHORS
++Michael Tremer
++
++== SEE ALSO
++link:network[8],
++link:network-dns-server[8]
+diff --git a/man/network-settings.xml b/man/network-settings.xml
+deleted file mode 100644
+index 7d1c70d..0000000
+--- a/man/network-settings.xml
++++ /dev/null
+@@ -1,118 +0,0 @@
+-<?xml version="1.0"?>
+-<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
+-	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+-
+-<refentry id="network-settings">
+-	<refentryinfo>
+-		<title>network-settings</title>
+-		<productname>network</productname>
+-
+-		<authorgroup>
+-			<author>
+-				<contrib>Developer</contrib>
+-				<firstname>Michael</firstname>
+-				<surname>Tremer</surname>
+-				<email>michael.tremer@ipfire.org</email>
+-			</author>
+-		</authorgroup>
+-	</refentryinfo>
+-
+-	<refmeta>
+-		<refentrytitle>network-settings</refentrytitle>
+-		<manvolnum>8</manvolnum>
+-	</refmeta>
+-
+-	<refnamediv>
+-		<refname>network-settings</refname>
+-		<refpurpose>Network Configuration Control Program</refpurpose>
+-	</refnamediv>
+-
+-	<refsynopsisdiv>
+-		<cmdsynopsis>
+-			<command>network settings</command>
+-		</cmdsynopsis>
+-
+-		<cmdsynopsis>
+-			<command>network settings <replaceable>KEY=VALUE</replaceable></command>
+-		</cmdsynopsis>
+-	</refsynopsisdiv>
+-
+-	<refsect1>
+-		<title>Description</title>
+-
+-		<para>
+-			The <command>network settings</command> command may be used to set
+-			global settingsuration options.
+-		</para>
+-		<para>
+-			Please have a look at the individual man pages for more options.
+-		</para>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Commands</title>
+-
+-		<para>
+-			If no additional argument is given, running the command will
+-			dump a list of all settingsuration variables and their current values.
+-		</para>
+-
+-		<para>
+-			You may set a new value by adding the variable name and the new
+-			value to the command line.
+-		</para>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Variables</title>
+-
+-		<variablelist>
+-			<varlistentry>
+-				<term>
+-					<varname>DEBUG</varname>=[<emphasis>0</emphasis>|1]
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						The <varname>DEBUG</varname> will control whether debug
+-						logging is enabled or not. Additionally to writing debug
+-						log messages to the log files, the messages will be displayed
+-						on the console as well.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<varname>WIRELESS_REGULATORY_DOMAIN</varname>=<emphasis>00</emphasis>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						The wireless regulatory domain is set globally for the
+-						entire system with the <varname>WIRELESS_REGULATORY_DOMAIN</varname>
+-						setting. The default is <emphasis>00</emphasis> which
+-						is the <emphasis>world</emphasis> setting.
+-						Valid values are country codes for countries which have their
+-						own regulatory domain.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-		</variablelist>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>See Also</title>
+-
+-		<para>
+-			<citerefentry>
+-				<refentrytitle>network</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>,
+-			<citerefentry>
+-				<refentrytitle>network-dns-server</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>
+-		</para>
+-	</refsect1>
+-</refentry>
+-- 
+2.39.2
+
diff --git a/network/patches/0082-man-Convert-network-vpn-8-to-asciidoc.patch b/network/patches/0082-man-Convert-network-vpn-8-to-asciidoc.patch
new file mode 100644
index 000000000..b284f76dc
--- /dev/null
+++ b/network/patches/0082-man-Convert-network-vpn-8-to-asciidoc.patch
@@ -0,0 +1,135 @@ 
+From 9848b81e6e8c2732920d9a7a115110723e2b07bb Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 31 Mar 2019 15:59:21 +0200
+Subject: [PATCH 082/304] man: Convert network-vpn(8) to asciidoc
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ man/network-vpn.txt | 26 +++++++++++++++
+ man/network-vpn.xml | 81 ---------------------------------------------
+ 2 files changed, 26 insertions(+), 81 deletions(-)
+ create mode 100644 man/network-vpn.txt
+ delete mode 100644 man/network-vpn.xml
+
+diff --git a/man/network-vpn.txt b/man/network-vpn.txt
+new file mode 100644
+index 0000000..5a905db
+--- /dev/null
++++ b/man/network-vpn.txt
+@@ -0,0 +1,26 @@
++= network-vpn(8)
++Michael Tremer <michael.tremer@ipfire.org>
++
++== NAME
++network-vpn - Configure Virtual Private Networks
++
++== SYNOPSIS
++'network vpn' COMMAND ...
++
++== DESCRIPTION
++The 'vpn' command allows to create, delete, edit and show the status of VPN
++connections and the configuration around it.
++
++== COMMANDS
++The following commands are understood:
++
++'security-policies' ...::
++	Use this command to manage security policies.
++	+
++	See link:network-vpn-security-policies[8] for details.
++
++== AUTHORS
++Michael Tremer
++
++== SEE ALSO
++link:network[8]
+diff --git a/man/network-vpn.xml b/man/network-vpn.xml
+deleted file mode 100644
+index d71d14a..0000000
+--- a/man/network-vpn.xml
++++ /dev/null
+@@ -1,81 +0,0 @@
+-<?xml version="1.0"?>
+-<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
+-	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+-
+-<refentry id="network-vpn">
+-	<refentryinfo>
+-		<title>network-vpn</title>
+-		<productname>network</productname>
+-
+-		<authorgroup>
+-			<author>
+-				<contrib>Developer</contrib>
+-				<firstname>Michael</firstname>
+-				<surname>Tremer</surname>
+-				<email>michael.tremer@ipfire.org</email>
+-			</author>
+-		</authorgroup>
+-	</refentryinfo>
+-
+-	<refmeta>
+-		<refentrytitle>network-vpn</refentrytitle>
+-		<manvolnum>8</manvolnum>
+-	</refmeta>
+-
+-	<refnamediv>
+-		<refname>network-vpn</refname>
+-		<refpurpose>Network Configuration Control Program</refpurpose>
+-	</refnamediv>
+-
+-	<refsynopsisdiv>
+-		<cmdsynopsis>
+-			<command>network <arg choice="plain">vpn</arg> <arg choice="plain">command</arg> ...</command>
+-		</cmdsynopsis>
+-	</refsynopsisdiv>
+-
+-	<refsect1>
+-		<title>Description</title>
+-
+-		<para>
+-			The <command>vpn</command> command allows to create, delete, edit
+-			and show the status of VPN connections and the configuration around it.
+-		</para>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Commands</title>
+-
+-		<para>
+-			The following commands are understood:
+-		</para>
+-
+-		<variablelist>
+-			<varlistentry>
+-				<term>
+-					<command>security-policies ...</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Use this command to manage security policies.
+-						See <citerefentry>
+-							<refentrytitle>network-vpn-security-policies</refentrytitle>
+-							<manvolnum>8</manvolnum>
+-						</citerefentry> for details.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-		</variablelist>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>See Also</title>
+-
+-		<para>
+-			<citerefentry>
+-				<refentrytitle>network</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>
+-		</para>
+-	</refsect1>
+-</refentry>
+-- 
+2.39.2
+
diff --git a/network/patches/0083-man-Convert-network-vpn-security-policies-8-to-ascii.patch b/network/patches/0083-man-Convert-network-vpn-security-policies-8-to-ascii.patch
new file mode 100644
index 000000000..6aa5702e5
--- /dev/null
+++ b/network/patches/0083-man-Convert-network-vpn-security-policies-8-to-ascii.patch
@@ -0,0 +1,453 @@ 
+From 0a31681e96ee9ed656bf5ce531d4057079a897be Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 31 Mar 2019 16:30:26 +0200
+Subject: [PATCH 083/304] man: Convert network-vpn-security-policies(8) to
+ asciidoc
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ man/network-vpn-security-policies.txt | 111 +++++++++
+ man/network-vpn-security-policies.xml | 313 --------------------------
+ 2 files changed, 111 insertions(+), 313 deletions(-)
+ create mode 100644 man/network-vpn-security-policies.txt
+ delete mode 100644 man/network-vpn-security-policies.xml
+
+diff --git a/man/network-vpn-security-policies.txt b/man/network-vpn-security-policies.txt
+new file mode 100644
+index 0000000..f9dc91a
+--- /dev/null
++++ b/man/network-vpn-security-policies.txt
+@@ -0,0 +1,111 @@
++= network-vpn-security-policies(8)
++Michael Tremer <michael.tremer@ipfire.org>
++
++== NAME
++network-vpn-security-policies - Configure VPN Security Policies
++
++== SYNOPSIS
++[verse]
++'network vpn security-policies [new|destroy]' NAME...
++'network vpn security-policies' NAME COMMAND ...
++
++== DESCRIPTION
++With help of the 'vpn security-policies', it is possible to create, destroy
++and edit VPN security policies.
++
++A security policy is a definition of ciphers and algorithms for integrity
++and key-exchanges for VPN connections.
++
++== COMMANDS
++The following commands are understood:
++
++'new NAME'::
++	A new security policy may be created with the 'new' command.
++	+
++	NAME does not allow any spaces.
++
++'destroy NAME'::
++	A security policy can be destroyed with this command.
++	+
++	If the policy is still in use, it cannot be deleted.
++
++For all other commands, the name of the security policy needs to be passed first:
++
++'NAME show'::
++	Shows the configuration of the security policy.
++
++'NAME key-exchange' [IKEv2|IKEv1]::
++	Defines the key exchange algorithm that should be used to initiate an
++	IPsec VPN connection.
++
++'NAME ciphers' [CIPHER-LIST|+CIPHER ...|-CIPHER ...]::
++	This command allows modifying the cipher list.
++	A new CIPHER-LIST can be passed which will replace the current configuration.
++	Alternatively, new ciphers can be added by prepending a + sign to the cipher
++	name and can removed likewise using -.
++	+
++	A cipher is an algorithm that encrypts and decrypts data to be able to
++	transmit it over an insecure channel.
++
++'NAME integrities' [INTEGRITY-LIST|+INTEGRITY ...|-INTEGRITY ...]::
++	This command allows modifying the integrity list similar to the
++	'ciphers' command.
++	+
++	Integrity algorithms are used to be able to determine if data has been
++	altered when being transferred over an untrusted channel.
++
++'NAME pseudo-random-functions' [PSEUDO-RANDOM-FUNCTION-LIST|+PSEUDO-RANDOM-FUNCTION...|-PSEUDO-RANDOM-FUNCTION]::
++	This command allows modifying the list of pseudo random functions
++	similar to the 'ciphers' command.
++	+
++	These functions are used in combination with an AEAD cipher only.
++
++'NAME group-types' [GROUP-TYPES-LIST|+GROUP-TYPE ...|-GROUP-TYPE]::
++	This command allows modifying the list of group types similar to the
++	'ciphers' command.
++	+
++	These algorithms are used to negotiate a shared secret of an insecure channel.
++
++'NAME pfs' [on|off]::
++	This command allows to enable or disable Perfect Forward Secrecy (PFS).
++	If PFS is enabled, the encrypted channels of a VPN connection will be
++	renegotiated regularly to avoid that the same keys are used for too long.
++	If an attacker is able to obtain a key that was used to encrypt the
++	data, it is only possible to decrypt a certain amount of data.
++	+
++	It is strongly recommended to enable PFS at all times.
++
++'NAME lifetime' LIFETIME::
++	This command allows to define how often the VPN connection is
++	renegotiated if PFS is enabled.
++
++'NAME compression' [on|off]::
++	This command allows to enable or disable compression.
++	If compression is enabled, all data is being compressed before being
++	sent through the VPN.
++	This setting is ignored if the peer does not support this.
++
++== System Policies
++
++The system comes with builtin policies that cannot be modified by the user.
++They are intended to provide good defaults for various situations.
++
++[horizontal]
++'system'::
++	This policy is the default for every VPN connection and allows using
++	all ciphers, integrity and key-exchange algorithms that are recommended
++	to use and have not been proven or assumed to be broken, yet.
++	+
++	Over time, this policy will change whenever an algorithm has been broken
++	and is not recommended to be used any more.
++
++'performance'::
++	This policy is recommended to be used on systems that are not very powerful.
++	Algorithms with smaller key lengths, but still considered to be secure
++	are being used.
++
++System policies cannot be deleted.
++
++== SEE ALSO
++link:network[8],
++link:network-vpn[8]
+diff --git a/man/network-vpn-security-policies.xml b/man/network-vpn-security-policies.xml
+deleted file mode 100644
+index 40e6213..0000000
+--- a/man/network-vpn-security-policies.xml
++++ /dev/null
+@@ -1,313 +0,0 @@
+-<?xml version="1.0"?>
+-<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
+-	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+-
+-<refentry id="network-zone">
+-	<refentryinfo>
+-		<title>network-vpn-security-policies</title>
+-		<productname>network</productname>
+-
+-		<authorgroup>
+-			<author>
+-				<contrib>Developer</contrib>
+-				<firstname>Michael</firstname>
+-				<surname>Tremer</surname>
+-				<email>michael.tremer@ipfire.org</email>
+-			</author>
+-		</authorgroup>
+-	</refentryinfo>
+-
+-	<refmeta>
+-		<refentrytitle>network-vpn-security-policies</refentrytitle>
+-		<manvolnum>8</manvolnum>
+-	</refmeta>
+-
+-	<refnamediv>
+-		<refname>network-vpn-security-policies</refname>
+-		<refpurpose>Network Configuration Control Program</refpurpose>
+-	</refnamediv>
+-
+-	<refsynopsisdiv>
+-		<cmdsynopsis>
+-			<command>network vpn security-policies <arg choice="plain">[new|destroy]</arg> <replaceable>NAME</replaceable> ...</command>
+-		</cmdsynopsis>
+-
+-		<cmdsynopsis>
+-			<command>network vpn security-policies <replaceable>NAME</replaceable> <arg choice="plain">command</arg> ...</command>
+-		</cmdsynopsis>
+-	</refsynopsisdiv>
+-
+-	<refsect1>
+-		<title>Description</title>
+-
+-		<para>
+-			With help of the <command>vpn security-policies</command>, it is possible
+-			to create, destroy and edit VPN security policies.
+-		</para>
+-		<para>
+-			A security policy is a definition of ciphers and algorithms for integrity
+-			and key-exchanges for VPN connections.
+-		</para>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Commands</title>
+-
+-		<para>
+-			The following commands are understood:
+-		</para>
+-
+-		<variablelist>
+-			<varlistentry>
+-				<term>
+-					<command>new <replaceable>NAME</replaceable></command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						A new security policy may be created with the
+-						<command>new</command> command.
+-					</para>
+-
+-					<para>
+-						<replaceable>NAME</replaceable> does not allow any spaces.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command>destroy <replaceable>NAME</replaceable></command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						A security policy can be destroyed with this command.
+-					</para>
+-					<para>
+-						If the policy is still in use, it cannot be deleted.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-		</variablelist>
+-
+-		<para>
+-			For all other commands, the name of the security policy needs to be passed first:
+-		</para>
+-
+-		<variablelist>
+-			<varlistentry>
+-				<term>
+-					<command><replaceable>NAME</replaceable> show</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Shows the configuration of the security policy.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command><replaceable>NAME</replaceable> key-exchange <replaceable>[IKEv2|IKEv1]</replaceable></command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Defines the key exchange algorithm that should be used to
+-						initiate an IPsec VPN connection.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command><replaceable>NAME</replaceable> ciphers <replaceable>[CIPHER-LIST|+CIPHER ...|-CIPHER ...]</replaceable></command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						This command allows modifying the cipher list.
+-					</para>
+-
+-					<para>
+-						A new <replaceable>CIPHER-LIST</replaceable> can be passed
+-						which will replace the current configuration.
+-						Alternatively, new ciphers can be added by prepending a
+-						+ sign to the cipher name and can removed likewise
+-						using -.
+-					</para>
+-
+-					<para>
+-						A cipher is an algorithm that encrypts and decrypts data
+-						to be able to transmit it over an insecure channel.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command><replaceable>NAME</replaceable> integrities <replaceable>[INTEGRITY-LIST|+INTEGRITY ...|-INTEGRITY ...]</replaceable></command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						This command allows modifying the integrity list
+-						similar to the <command>ciphers</command> command.
+-					</para>
+-
+-					<para>
+-						Integrity algorithms are used to be able to determine
+-						if data has been altered when being transfered over
+-						an untrusted channel.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command><replaceable>NAME</replaceable> pseudo-random-functions <replaceable>[PSEUDO-RANDOM-FUNCTION-LIST|+PSEUDO-RANDOM-FUNCTION...|-PSEUDO-RANDOM-FUNCTION]</replaceable>
+-					</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						This command allows modifying the list of pseudo random functions
+-						similar to the <command>ciphers</command> command.
+-					</para>
+-
+-					<para>
+-						These functions are used in combination with an AEAD cipher only.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command><replaceable>NAME</replaceable> group-types <replaceable>[GROUP-TYPES-LIST|+GROUP-TYPE ...|-GROUP-TYPE]</replaceable>
+-					</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						This command allows modifying the list of group types
+-						similar to the <command>ciphers</command> command.
+-					</para>
+-
+-					<para>
+-						These algorithms are used to negotiate a shared secret
+-						of an insecure channel.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command><replaceable>NAME</replaceable> pfs <replaceable>[on|off]</replaceable></command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						This command allows to enable or disable Perfect Forward Secrecy (PFS).
+-					</para>
+-
+-					<para>
+-						If PFS is enabled, the encrypted channels of a VPN connection will be
+-						renegotiated regularly to avoid that the same keys are used for too long.
+-						If an attacker is able to obtain a key that was used to encrypt the
+-						data, it is only possible to decrypt a certain amount of data.
+-					</para>
+-
+-					<para>
+-						It is strongly recommended to enable PFS at all times.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command><replaceable>NAME</replaceable> lifetime <replaceable>LIFETIME</replaceable></command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						This command allows to define how often the VPN connection is
+-						renegotiated if PFS is enabled.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command><replaceable>NAME</replaceable> compression <replaceable>[on|off]</replaceable></command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						This command allows to enable or disable compression.
+-					</para>
+-
+-					<para>
+-						If compression is enabled, all data is being compressed before being
+-						sent through the VPN.
+-						This setting is ignored if the peer does not support this.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-		</variablelist>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>System Policies</title>
+-
+-		<para>
+-			The system comes with builtin policies that cannot be modified by the user.
+-			They are intended to provide good defaults for various situations.
+-		</para>
+-
+-		<refsect2>
+-			<title>system</title>
+-
+-			<para>
+-				This policy is the default for every VPN connection and allows using
+-				all ciphers, integrity and key-exchange algorithms that are recommended
+-				to use and have not been proven or assumed to be broken, yet.
+-			</para>
+-
+-			<para>
+-				Over time, this policy will change whenever an algorithm has been broken
+-				and is not recommended to be used any more.
+-			</para>
+-		</refsect2>
+-
+-		<refsect2>
+-			<title>performance</title>
+-
+-			<para>
+-				This policy is recommended to be used on systems that are not very powerful.
+-				Algorithms with smaller key lengths, but still considered to be secure
+-				are being used.
+-			</para>
+-		</refsect2>
+-
+-		<para>
+-			System policies cannot be deleted.
+-		</para>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>See Also</title>
+-
+-		<para>
+-			<citerefentry>
+-				<refentrytitle>network</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>,
+-			<citerefentry>
+-				<refentrytitle>network-vpn</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>
+-		</para>
+-	</refsect1>
+-</refentry>
+-- 
+2.39.2
+
diff --git a/network/patches/0084-man-Convert-network-zone-8-to-asciidoc.patch b/network/patches/0084-man-Convert-network-zone-8-to-asciidoc.patch
new file mode 100644
index 000000000..0edf995fa
--- /dev/null
+++ b/network/patches/0084-man-Convert-network-zone-8-to-asciidoc.patch
@@ -0,0 +1,375 @@ 
+From 357723e90cb0f700c4315b6016543db4230df5fb Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 31 Mar 2019 16:46:07 +0200
+Subject: [PATCH 084/304] man: Convert network-zone(8) to asciidoc
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ man/include-color.txt       |   2 +-
+ man/include-description.txt |   2 +-
+ man/network-zone.txt        |  73 +++++++++++
+ man/network-zone.xml        | 247 ------------------------------------
+ 4 files changed, 75 insertions(+), 249 deletions(-)
+ create mode 100644 man/network-zone.txt
+ delete mode 100644 man/network-zone.xml
+
+diff --git a/man/include-color.txt b/man/include-color.txt
+index 073c01b..4b417a5 100644
+--- a/man/include-color.txt
++++ b/man/include-color.txt
+@@ -1,7 +1,7 @@
+ 'color set <color>'::
+ 	The color is set with this command and required to be passed in
+ 	RGB hex formatting
+-
++	+
+ 	NOTE: The color is being used to make identification of network devices
+ 	easier on the command line and web user interface.
+ 
+diff --git a/man/include-description.txt b/man/include-description.txt
+index a39ba55..49bac64 100644
+--- a/man/include-description.txt
++++ b/man/include-description.txt
+@@ -1,6 +1,6 @@
+ 'description edit'::
+ 	This command opens an editor and allows you to edit title and description.
+-
++	+
+ 	NOTE: The formation of the description is similar to a git commit.
+ 	Every description has a title, the first line of the description.
+ 	The title is shown on the status page and in the web user interface.
+diff --git a/man/network-zone.txt b/man/network-zone.txt
+new file mode 100644
+index 0000000..88a1988
+--- /dev/null
++++ b/man/network-zone.txt
+@@ -0,0 +1,73 @@
++= network-zone(8)
++Michael Tremer <michael.tremer@ipfire.org>
++
++== NAME
++network-zone - Manage network zones
++
++== SYNOPSIS
++[verse]
++'network zone [new|destroy]' ZONE
++'network zone' ZONE ...
++
++== DESCRIPTION
++With help of the 'zone' command, it is very easy to configure network zones.
++
++It is possible to create zones and remove them. Zones may also be brought up
++and down and reconfigured. Their status may be viewed as well.
++
++== COMMANDS
++The following commands are understood:
++
++'new ZONE HOOK OPTIONS'::
++	A new zone may be created by the 'create' command.
++	There are at least two arguments required.
++	+
++	ZONE must be valid name for a zone which does not already exist.
++	HOOK is a valid zone hook which may require additional options.
++
++'destroy ZONE'::
++	A zone can be destroyed with this command.
++	+
++	There are two possible ways to remove a zone. The case is when the zone is
++	not up. Then, it will be removed immediately. When the zone is current up
++	and used, it will tagged to be remove later, after it has been brought down.
++
++For all other commands, the name of the zone needs to be passed first:
++
++'edit OPTIONS'::
++	The settings of a zone may be edited after it has been created.
++	The options that can be passed depend on the hook that is used for the zone.
++	Run 'network zone ZONE edit --help' to learn more about that.
++	+
++	It usually is required to restart/reload the zone until the new settings
++	are taken into account.
++
++'[up|down]'::
++	These commands will bring the zone up/down. This is done without control
++	of systemd, therefore not intended to be done in a productive environment.
++	However, these commands may be used for debugging.
++
++'[enable|disable]'::
++	These commands will enable or disable the zone. An enabled zone will
++	automatically be started either during the boot process or a hotplug event
++	of an associated port or other device.
++
++'status'::
++	This will show some detailed information about the state if the specified zone.
++
++include::include-color.txt[]
++
++include::include-description.txt[]
++
++'identify'::
++	This command will make all ports of the zone flash for a few seconds so
++	that you can identify the correct network adapters in the system.
++
++'rename' NAME::
++	Renames the zone to NAME.
++	+
++	The command will shut down the zone if it is up and start it again with
++	the new name. If the zone is not up it won't be started.
++
++== SEE ALSO
++link:network[8]
+diff --git a/man/network-zone.xml b/man/network-zone.xml
+deleted file mode 100644
+index 99fa8b8..0000000
+--- a/man/network-zone.xml
++++ /dev/null
+@@ -1,247 +0,0 @@
+-<?xml version="1.0"?>
+-<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
+-	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+-
+-<refentry id="network-zone">
+-	<refentryinfo>
+-		<title>network-zone</title>
+-		<productname>network</productname>
+-
+-		<authorgroup>
+-			<author>
+-				<contrib>Developer</contrib>
+-				<firstname>Michael</firstname>
+-				<surname>Tremer</surname>
+-				<email>michael.tremer@ipfire.org</email>
+-			</author>
+-		</authorgroup>
+-	</refentryinfo>
+-
+-	<refmeta>
+-		<refentrytitle>network-zone</refentrytitle>
+-		<manvolnum>8</manvolnum>
+-	</refmeta>
+-
+-	<refnamediv>
+-		<refname>network-zone</refname>
+-		<refpurpose>Network Configuration Control Program</refpurpose>
+-	</refnamediv>
+-
+-	<refsynopsisdiv>
+-		<cmdsynopsis>
+-			<command>network zone <arg choice="plain">[new|destroy]</arg> <replaceable>ZONE</replaceable> ...</command>
+-		</cmdsynopsis>
+-
+-		<cmdsynopsis>
+-			<command>network zone <replaceable>ZONE</replaceable> <arg choice="plain">command</arg> ...</command>
+-		</cmdsynopsis>
+-	</refsynopsisdiv>
+-
+-	<refsect1>
+-		<title>Description</title>
+-
+-		<para>
+-			With help of the <command>zone</command> command, it is very easy to
+-			configure network zones.
+-		</para>
+-		<para>
+-			It is possible to create zones and remove them. Zones may also
+-			be brought up and down and reconfigured. Their status may be viewed
+-			as well.
+-		</para>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Commands</title>
+-
+-		<para>
+-			The following commands are understood:
+-		</para>
+-
+-		<variablelist>
+-			<varlistentry>
+-				<term>
+-					<command>new <replaceable>ZONE</replaceable> <replaceable>HOOK</replaceable> <arg choice="opt" rep="repeat">OPTIONS</arg></command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						A new zone may be created by the <command>create</command>
+-						command. There are at least two arguments required.
+-					</para>
+-					<para>
+-						<replaceable>ZONE</replaceable> must be valid name for a
+-						zone which does not already exist.
+-						<replaceable>HOOK</replaceable> is a valid zone hook which
+-						may require additional options.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command>destroy <replaceable>ZONE</replaceable></command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						A zone can be destroyed with this command.
+-					</para>
+-					<para>
+-						There are two possible ways to remove a zone. The case
+-						is when the zone is not up. Then, it will be removed
+-						immediately. When the zone is current up and used, it
+-						will tagged to be remove later, after it has been brought
+-						down.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-		</variablelist>
+-
+-		<para>
+-			For all other commands, the name of the zone needs to be passed first:
+-		</para>
+-
+-		<variablelist>
+-			<varlistentry>
+-				<term>
+-					<command><replaceable>ZONE</replaceable> edit <arg choice="opt" rep="repeat">OPTIONS</arg></command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						The settings of a zone may be edited after it has been created.
+-						The options that can be passed depend on the hook that is used
+-						for the zone.
+-						Run <command>network zone <replaceable>ZONE</replaceable> edit --help</command>
+-						to learn more about that.
+-					</para>
+-					<para>
+-						It usually is required to restart/reload the zone until
+-						the new settings are taken into account.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command><replaceable>ZONE</replaceable> [up|down]</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						These commands will bring the zone up/down. This is done
+-						without control of systemd, therefore not intended to be
+-						done in a productive environment.
+-						However, these commands may be used for debugging.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command><replaceable>ZONE</replaceable> [enable|disable]</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						These commands will enable or disable the zone. An enabled
+-						zone will automatically be started either during the boot process
+-						or a hotplug event of an associated port or other device.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command><replaceable>ZONE</replaceable> status</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						This will show some detailed information about the state
+-						if the specified zone.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-			<varlistentry>
+-				<term>
+-					<command><replaceable>ZONE</replaceable> color</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						This command allows settings a color for a zone.
+-						See
+-						<citerefentry>
+-						<refentrytitle>network-color</refentrytitle>
+-						<manvolnum>8</manvolnum>
+-						</citerefentry>
+-						for more information.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-			<varlistentry>
+-				<term>
+-					<command><replaceable>ZONE</replaceable>description</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						This command make is possible to add a description to a zone.
+-						See
+-						<citerefentry>
+-						<refentrytitle>network-description</refentrytitle>
+-						<manvolnum>8</manvolnum>,
+-						</citerefentry>
+-						for more information.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-			<varlistentry>
+-				<term>
+-					<command><replaceable>ZONE</replaceable> identify</command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						This command will make all ports of the zone flash for
+-						a few seconds so that you can identify the correct network
+-						adapters in the system.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<command><replaceable>ZONE</replaceable> rename <replaceable>NAME</replaceable></command>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Renames the zone to <replaceable>NAME</replaceable>.
+-					</para>
+-					<para>
+-						The command will shut down the zone if it is up and
+-						start it again with the new name. If the zone is not
+-						up it won't be started.
+-					</para>
+-					<para>
+-						Zones that are marked to be destroyed cannot be renamed.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-		</variablelist>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>See Also</title>
+-
+-		<para>
+-			<citerefentry>
+-				<refentrytitle>network</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>
+-		</para>
+-	</refsect1>
+-</refentry>
+-- 
+2.39.2
+
diff --git a/network/patches/0085-man-Convert-network-zone-bridge-8-to-asciidoc.patch b/network/patches/0085-man-Convert-network-zone-bridge-8-to-asciidoc.patch
new file mode 100644
index 000000000..6d114cd02
--- /dev/null
+++ b/network/patches/0085-man-Convert-network-zone-bridge-8-to-asciidoc.patch
@@ -0,0 +1,255 @@ 
+From 010f24cfc6e363815ae6a408a16e8b07c069c1a7 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 31 Mar 2019 16:59:10 +0200
+Subject: [PATCH 085/304] man: Convert network-zone-bridge(8) to asciidoc
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ man/network-zone-bridge.txt |  55 ++++++++++++
+ man/network-zone-bridge.xml | 172 ------------------------------------
+ 2 files changed, 55 insertions(+), 172 deletions(-)
+ create mode 100644 man/network-zone-bridge.txt
+ delete mode 100644 man/network-zone-bridge.xml
+
+diff --git a/man/network-zone-bridge.txt b/man/network-zone-bridge.txt
+new file mode 100644
+index 0000000..2e4f839
+--- /dev/null
++++ b/man/network-zone-bridge.txt
+@@ -0,0 +1,55 @@
++= network-zone-bridge(8)
++Michael Tremer <michael.tremer@ipfire.org>
++
++== NAME
++network-zone-bridge - Manage network zones
++
++== SYNOPSIS
++[verse]
++'network zone new ZONE bridge' ...
++'network zone ZONE edit' ...
++
++== DESCRIPTION
++The bridge hook creates an ethernet bridge which acts as an unmanaged network
++switch. It contains one or multiple physical network interfaces or virtual
++devices which will be connected to each other.
++
++The bridge hook is the preferred hook for local area network zones which are
++connected to an ethernet network.
++
++== OPTIONS
++The following options are understood:
++
++'--address=ADDRESS'::
++	By this option, you may define the MAC address of the bridge. If this option
++	is missing, a random MAC address will be generated.
++
++'--mtu=MTU'::
++	Sets the default MTU of the bridge.
++	All ports in the bridge must support this MTU value.
++
++'--stp=[_on_|off]'::
++	This option enables or disables use of the _Spanning Tree Protocol_ (STP).
++	This protocol is used to avoid loops in networks by dynamically disabling
++	packet forwarding on links.
++	+
++	It is highly recommended to leave this option enabled when you add more
++	than one device to the zone. Read below how the behaviour of STP can be changed.
++
++Spanning Tree Protocol (802.1D) configuration options:
++
++'--stp-forward-delay=_0_'::
++	This sets the default time the interfaces are hold off after they have been
++	added to a bridge. The default value is 0.
++
++'--stp-hello=_2_'::
++	This option defines how often a hello message should be sent. The value is
++	given in seconds and the default is 2.
++
++'--stp-priority=512'::
++	The STP priority sets the ranking of this network device within the network.
++	The bridge with the best rank (0 is best) will become the root bridge.
++
++== SEE ALSO
++link:network[8],
++link:network-zone[8]
+diff --git a/man/network-zone-bridge.xml b/man/network-zone-bridge.xml
+deleted file mode 100644
+index a77118b..0000000
+--- a/man/network-zone-bridge.xml
++++ /dev/null
+@@ -1,172 +0,0 @@
+-<?xml version="1.0"?>
+-<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
+-	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+-
+-<refentry id="network-zone-bridge">
+-	<refentryinfo>
+-		<title>network-zone-bridge</title>
+-		<productname>network</productname>
+-
+-		<authorgroup>
+-			<author>
+-				<contrib>Developer</contrib>
+-				<firstname>Michael</firstname>
+-				<surname>Tremer</surname>
+-				<email>michael.tremer@ipfire.org</email>
+-			</author>
+-		</authorgroup>
+-	</refentryinfo>
+-
+-	<refmeta>
+-		<refentrytitle>network-zone-bridge</refentrytitle>
+-		<manvolnum>8</manvolnum>
+-	</refmeta>
+-
+-	<refnamediv>
+-		<refname>network-zone-bridge</refname>
+-		<refpurpose>Network Configuration Control Program</refpurpose>
+-	</refnamediv>
+-
+-	<refsynopsisdiv>
+-		<cmdsynopsis>
+-			<command>network zone new <replaceable>ZONE</replaceable> bridge ...</command>
+-		</cmdsynopsis>
+-
+-		<cmdsynopsis>
+-			<command>network zone <replaceable>ZONE</replaceable> edit ...</command>
+-		</cmdsynopsis>
+-	</refsynopsisdiv>
+-
+-	<refsect1>
+-		<title>Description</title>
+-
+-		<para>
+-			The bridge hook creates an ethernet bridge which acts as an unmanaged network
+-			switch. It contains one or multiple phyisical network interfaces or virtual
+-			devices which will be connected to each other.
+-		</para>
+-		<para>
+-			The bridge hook is the prefered hook for local area network zones which are
+-			connected to an ethernet network.
+-		</para>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Options</title>
+-
+-		<para>
+-			The following options are understood:
+-		</para>
+-
+-		<variablelist>
+-			<varlistentry>
+-				<term>
+-					<option>--stp=[<emphasis>on</emphasis>|off]</option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						This option enables or disable the use of the
+-						<emphasis>Spanning Tree Protocol</emphasis> (STP).
+-						This protocol is used to avoid loops in networks by
+-						dynamically disabling packet forwarding on links.
+-					</para>
+-					<para>
+-						It is highly recommended to leave this option enabled
+-						when you add more than one device to the zone.
+-						Read below how the behaviour of STP can be changed.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<option>--mtu=<replaceable>MTU</replaceable></option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Sets the default MTU of the bridge.
+-						All ports in the bridge must support this MTU value.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<option>--address=<replaceable>ADDRESS</replaceable></option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						By this option, you may define the MAC address of the
+-						bridge. If this option is missing, a random MAC address
+-						will be generated.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-		</variablelist>
+-
+-		<para>
+-			Spanning Tree Protocol (802.1D) configuration options:
+-		</para>
+-
+-		<variablelist>
+-			<varlistentry>
+-				<term>
+-					<option>--stp-forward-delay=<replaceable>0</replaceable></option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						This sets the default time the interfaces are hold off
+-						after they have been added to a bridge.
+-						The default value is 0.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<option>--stp-hello=<replaceable>2</replaceable></option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						This option defines how often a hello message should be
+-						sent. The value is given in seconds and the default is 2.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<option>--stp-priority=<replaceable>512</replaceable></option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						The STP priority sets the ranking of this network device
+-						within the network. The bridge with the best rank
+-						(0 is best) will become the root bridge.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-		</variablelist>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>See Also</title>
+-
+-		<para>
+-			<citerefentry>
+-				<refentrytitle>network</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>,
+-			<citerefentry>
+-				<refentrytitle>network-zone</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>
+-		</para>
+-	</refsect1>
+-</refentry>
+-- 
+2.39.2
+
diff --git a/network/patches/0086-man-Convert-network-zone-config-pppoe-server-8-to-as.patch b/network/patches/0086-man-Convert-network-zone-config-pppoe-server-8-to-as.patch
new file mode 100644
index 000000000..3afd01e9a
--- /dev/null
+++ b/network/patches/0086-man-Convert-network-zone-config-pppoe-server-8-to-as.patch
@@ -0,0 +1,222 @@ 
+From 718371b565fdb93719f68b5a2dcf719dd57a4e93 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 31 Mar 2019 17:15:50 +0200
+Subject: [PATCH 086/304] man: Convert network-zone-config-pppoe-server(8) to
+ asciidoc
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ man/network-zone-config-pppoe-server.txt |  50 ++++++++
+ man/network-zone-config-pppoe-server.xml | 143 -----------------------
+ 2 files changed, 50 insertions(+), 143 deletions(-)
+ create mode 100644 man/network-zone-config-pppoe-server.txt
+ delete mode 100644 man/network-zone-config-pppoe-server.xml
+
+diff --git a/man/network-zone-config-pppoe-server.txt b/man/network-zone-config-pppoe-server.txt
+new file mode 100644
+index 0000000..72dff8e
+--- /dev/null
++++ b/man/network-zone-config-pppoe-server.txt
+@@ -0,0 +1,50 @@
++= network-zone-config-pppoe-server(8)
++
++== NAME
++network-zone-config-pppoe-server - PPPoE Server Settings
++
++== SYNOPSIS
++[verse]
++`network zone ZONE config create pppoe-server ...`
++`network zone ZONE config pppoe-server edit ...`
++
++== DESCRIPTION
++This configuration hook enables a **PPPoE Server** on a zone.
++
++== OPTIONS
++The following options are understood:
++
++`--subnet=SUBNET`::
++	The `--subnet` option defines an IPv4 pool of which IP addresses are
++	assigned to the remote hosts. The first address of the subnet will be used
++	for the gateway which is the PPPoE server itself.
++	+
++	The subnet must at least have two IP addresses.
++
++`--mtu=MTU`::
++	Set the required MTU (Maximum Transmission Unit) for the PPP connection.
++	The default value is 1492 bytes which is a common MTU for DSL connections.
++
++`--service-name=SERVICE NAME`::
++	This option receives a string which will be used as the service name. The
++	service name is sent out to the clients and used for identification but
++	not authorisation purposes.
++	+
++	The default is an empty value.
++
++`--max-sessions=0`::
++	Limit the number of sessions that may be established by the same MAC address.
++	This must be a positive number.
++	0 permits an unlimited number of sessions per MAC address.
++
++== EXAMPLES
++
++This command creates a PPPoE server that will assign an IP address from the
++192.168.0.0/16 subnet:
++
++  network zone net0 config create pppoe-server --subnet=192.168.0.0/16
++
++== SEE ALSO
++link:network[8],
++link:network-zone[8],
++link:network-zone-config[8]
+diff --git a/man/network-zone-config-pppoe-server.xml b/man/network-zone-config-pppoe-server.xml
+deleted file mode 100644
+index e6d497e..0000000
+--- a/man/network-zone-config-pppoe-server.xml
++++ /dev/null
+@@ -1,143 +0,0 @@
+-<?xml version="1.0"?>
+-<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
+-	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+-
+-<refentry id="network-zone-config-pppoe-server">
+-	<refentryinfo>
+-		<title>network-zone-config-pppoe-server</title>
+-		<productname>network</productname>
+-
+-		<authorgroup>
+-			<author>
+-				<contrib>Developer</contrib>
+-				<firstname>Michael</firstname>
+-				<surname>Tremer</surname>
+-				<email>michael.tremer@ipfire.org</email>
+-			</author>
+-		</authorgroup>
+-	</refentryinfo>
+-
+-	<refmeta>
+-		<refentrytitle>network-zone-config-pppoe-server</refentrytitle>
+-		<manvolnum>8</manvolnum>
+-	</refmeta>
+-
+-	<refnamediv>
+-		<refname>network-zone-config-pppoe-server</refname>
+-		<refpurpose>Network Configuration Control Program</refpurpose>
+-	</refnamediv>
+-
+-	<refsynopsisdiv>
+-		<cmdsynopsis>
+-			<command>network zone <replaceable>ZONE</replaceable> config create pppoe-server ...</command>
+-		</cmdsynopsis>
+-	</refsynopsisdiv>
+-
+-	<refsect1>
+-		<title>Description</title>
+-
+-		<para>
+-			This configuration hook enables a <emphasis>PPPoE server</emphasis>
+-			functionality to a zone which is of an ethernet-like type.
+-		</para>
+-		<para>
+-			The PPPoE server is mostly for development purpose and performs pretty
+-			well. However, it is not recommended to use it in production environments.
+-		</para>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Options</title>
+-
+-		<para>
+-			The following options are understood:
+-		</para>
+-
+-		<variablelist>
+-			<varlistentry>
+-				<term>
+-					<option>--subnet=<replaceable>SUBNET</replaceable></option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						The <option>--subnet</option> option defines an IPv4 pool
+-						of which IP addresses are assigned to the remote hosts.
+-						The first address of the subnet will be used for the
+-						gateway which is the PPPoE server itself.
+-					</para>
+-					<para>
+-						The subnet must at least have two IP addresses.
+-						Broadcast and network addresses will be used as well.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<option>--mtu=<replaceable>MTU</replaceable></option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Set the required MTU (Maximum Transmission Unit) for
+-						the PPP connection.
+-					</para>
+-					<para>
+-						The default value is 1492 bytes which is a common MTU for
+-						DSL connections.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<option>--service-name=<replaceable>STRING</replaceable></option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						This options receives a string which will be used as the
+-						service name. The service name is sent out to the clients
+-						and used for identification but not authorization purposes.
+-					</para>
+-					<para>
+-						The default is an empty value.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<option>--max-sessions=<emphasis>0</emphasis></option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Limit the max. number of sessions that may be established
+-						by the same MAC address.
+-					</para>
+-					<para>
+-						This must be a positive number. 0 permits an unlimited
+-						number of sessions per MAC address.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-		</variablelist>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>See Also</title>
+-
+-		<para>
+-			<citerefentry>
+-				<refentrytitle>network</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>,
+-			<citerefentry>
+-				<refentrytitle>network-zone-config</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>
+-		</para>
+-	</refsect1>
+-</refentry>
+-- 
+2.39.2
+
diff --git a/network/patches/0087-man-Convert-network-zone-ip-tunnel-8-to-asciidoc.patch b/network/patches/0087-man-Convert-network-zone-ip-tunnel-8-to-asciidoc.patch
new file mode 100644
index 000000000..ce05d4197
--- /dev/null
+++ b/network/patches/0087-man-Convert-network-zone-ip-tunnel-8-to-asciidoc.patch
@@ -0,0 +1,184 @@ 
+From 6e94de3efa35088eb322ced2653efeec5f5c29fd Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 31 Mar 2019 17:23:07 +0200
+Subject: [PATCH 087/304] man: Convert network-zone-ip-tunnel(8) to asciidoc
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ man/network-zone-ip-tunnel.txt |  35 ++++++++++
+ man/network-zone-ip-tunnel.xml | 121 ---------------------------------
+ 2 files changed, 35 insertions(+), 121 deletions(-)
+ create mode 100644 man/network-zone-ip-tunnel.txt
+ delete mode 100644 man/network-zone-ip-tunnel.xml
+
+diff --git a/man/network-zone-ip-tunnel.txt b/man/network-zone-ip-tunnel.txt
+new file mode 100644
+index 0000000..cb30731
+--- /dev/null
++++ b/man/network-zone-ip-tunnel.txt
+@@ -0,0 +1,35 @@
++= network-zone-ip-tunnel(8)
++Michael Tremer <michael.tremer@ipfire.org>
++
++== NAME
++network-zone-ip-tunnel - Manage IP Tunnels
++
++== SYNOPSIS
++[verse]
++`network zone new ZONE ip-tunnel ...`
++`network zone ZONE edit ...`
++
++== DESCRIPTION
++The ip-tunnel hook is used to create IP tunnels that use protocols like GRE to
++encapsulate IP packets.
++
++== OPTIONS
++The following options are understood:
++
++`--mode=MODE`::
++	Sets the protocol that is being used to encapsulate IP packets.
++	Currently only **GRE** is supported.
++
++`--peer=PEER`::
++	The address of the peer that terminates the remote end of this tunnel.
++	+
++	If left empty, connections from any IP address will be accepted.
++
++`--local-address=LOCAL-ADDRESS`::
++	The local IP address the tunnel originates from.
++	+
++	This is optional and if unset a useful default will be used.
++
++== SEE ALSO
++link:network[8],
++link:network-zone[8]
+diff --git a/man/network-zone-ip-tunnel.xml b/man/network-zone-ip-tunnel.xml
+deleted file mode 100644
+index a1cc257..0000000
+--- a/man/network-zone-ip-tunnel.xml
++++ /dev/null
+@@ -1,121 +0,0 @@
+-<?xml version="1.0"?>
+-<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
+-	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+-
+-<refentry id="network-zone-ip-tunnel">
+-	<refentryinfo>
+-		<title>network-zone-ip-tunnel</title>
+-		<productname>network</productname>
+-
+-		<authorgroup>
+-			<author>
+-				<contrib>Developer</contrib>
+-				<firstname>Michael</firstname>
+-				<surname>Tremer</surname>
+-				<email>michael.tremer@ipfire.org</email>
+-			</author>
+-		</authorgroup>
+-	</refentryinfo>
+-
+-	<refmeta>
+-		<refentrytitle>network-zone-ip-tunnel</refentrytitle>
+-		<manvolnum>8</manvolnum>
+-	</refmeta>
+-
+-	<refnamediv>
+-		<refname>network-zone-ip-tunnel</refname>
+-		<refpurpose>Network Configuration Control Program</refpurpose>
+-	</refnamediv>
+-
+-	<refsynopsisdiv>
+-		<cmdsynopsis>
+-			<command>network zone new <replaceable>ZONE</replaceable> ip-tunnel ...</command>
+-		</cmdsynopsis>
+-
+-		<cmdsynopsis>
+-			<command>network zone <replaceable>ZONE</replaceable> edit ...</command>
+-		</cmdsynopsis>
+-	</refsynopsisdiv>
+-
+-	<refsect1>
+-		<title>Description</title>
+-
+-		<para>
+-			The ip-tunnel hook is used to create IP tunnels that use protocols
+-			like GRE to encapsulate IP packets.
+-		</para>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Options</title>
+-
+-		<para>
+-			The following options are understood:
+-		</para>
+-
+-		<variablelist>
+-			<varlistentry>
+-				<term>
+-					<option>--mode=<replaceable>MODE</replaceable></option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Sets the protocol that is being used to encapsulate
+-						IP packets.
+-						Currently only <replaceable>gre</replaceable> is supported.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<option>--peer=<replaceable>PEER</replaceable></option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						The address of the peer that terminates the remote
+-						end of this tunnel.
+-					</para>
+-
+-					<para>
+-						If left empty, connections from any IP address will
+-						be accepted.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<option>--local-address=<replaceable>LOCAL-ADDRESS</replaceable></option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						The local IP address the tunnel originates from.
+-					</para>
+-
+-					<para>
+-						This is optional and if unset a useful default will be used.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-		</variablelist>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>See Also</title>
+-
+-		<para>
+-			<citerefentry>
+-				<refentrytitle>network</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>,
+-			<citerefentry>
+-				<refentrytitle>network-zone</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>
+-		</para>
+-	</refsect1>
+-</refentry>
+-- 
+2.39.2
+
diff --git a/network/patches/0088-man-Convert-network-zone-modem-8-to-asciidoc.patch b/network/patches/0088-man-Convert-network-zone-modem-8-to-asciidoc.patch
new file mode 100644
index 000000000..d140ce3f8
--- /dev/null
+++ b/network/patches/0088-man-Convert-network-zone-modem-8-to-asciidoc.patch
@@ -0,0 +1,329 @@ 
+From 23eec7d08e289749759927bcf4c2387cbfcbdce2 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 31 Mar 2019 17:34:10 +0200
+Subject: [PATCH 088/304] man: Convert network-zone-modem(8) to asciidoc
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ man/network-zone-modem.txt |  66 +++++++++++
+ man/network-zone-modem.xml | 235 -------------------------------------
+ 2 files changed, 66 insertions(+), 235 deletions(-)
+ create mode 100644 man/network-zone-modem.txt
+ delete mode 100644 man/network-zone-modem.xml
+
+diff --git a/man/network-zone-modem.txt b/man/network-zone-modem.txt
+new file mode 100644
+index 0000000..6b09622
+--- /dev/null
++++ b/man/network-zone-modem.txt
+@@ -0,0 +1,66 @@
++= network-zone-modem(8)
++Michael Tremer <michael.tremer@ipfire.org>
++
++== NAME
++network-zone-modem - Configure serial modems
++
++== SYNOPSIS
++[verse]
++`network zone new ZONE modem ...`
++
++== DESCRIPTION
++The modem hook uses a serial interface to establish a PPP session to an Internet
++Service Provider. This method is used by 56k modems and mobile networks like
++LTE, GSM and 3G.
++
++== OPTIONS
++The following options are understood:
++
++`--device=DEVICE`::
++	Sets the serial device that is used to connect. Example: /dev/ttyUSB0
++
++`--monitor-device=DEVICE`::
++	The optional monitor device is used to collect status information like
++	signal strength and link quality while the connection is established.
++
++`--imsi=IMSI`::
++	Set the IMSI of the SIM card inside the wireless modem to identify it when
++	it is plugged in at runtime.
++
++`--pin=PIN`::
++	The PIN number of the SIM card.
++	This will be used to unlock the SIM card when it is locked.
++
++`--apn=APN`::
++	Sets the Access Point Name (APN) that the modem connects to.
++
++`--phone-number=PHONE-NUMBER`::
++	Sets the phone number that is dialled by the modem when the connection is
++	to be established.
++
++`--username=USERNAME`::
++	Sets the username for authentication.
++
++`--password=PASSWORD`::
++	Sets the password for authentication.
++	+
++	Use the `--auth=` option to transmit it in a secure manner to the provider.
++
++`--baudrate=921600`::
++	The baudrate for the serial link to the modem.
++
++`--mtu=N`::
++	Sets the default MTU of the PPP connection.
++
++`--auth=[chap|pap]`::
++	Define the authentication method that is used to authenticate against your
++	provider. The default is to use the provider's preference.
++
++	* _Challange-Handshake Authentication Protocol_ (`chap`) is the preferred,
++	secure method.
++	* _Password Authentication Protocol_ (`pap`) sends the plaintext password
++	to the authentication server which is the reason why it should be avoided.
++
++== SEE ALSO
++link:network[8],
++link:network-zone[8]
+diff --git a/man/network-zone-modem.xml b/man/network-zone-modem.xml
+deleted file mode 100644
+index 97a1d35..0000000
+--- a/man/network-zone-modem.xml
++++ /dev/null
+@@ -1,235 +0,0 @@
+-<?xml version="1.0"?>
+-<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
+-	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+-
+-<refentry id="network-zone-modem">
+-	<refentryinfo>
+-		<title>network-zone-modem</title>
+-		<productname>network</productname>
+-
+-		<authorgroup>
+-			<author>
+-				<contrib>Developer</contrib>
+-				<firstname>Michael</firstname>
+-				<surname>Tremer</surname>
+-				<email>michael.tremer@ipfire.org</email>
+-			</author>
+-		</authorgroup>
+-	</refentryinfo>
+-
+-	<refmeta>
+-		<refentrytitle>network-zone-modem</refentrytitle>
+-		<manvolnum>8</manvolnum>
+-	</refmeta>
+-
+-	<refnamediv>
+-		<refname>network-zone-modem</refname>
+-		<refpurpose>Network Configuration Control Program</refpurpose>
+-	</refnamediv>
+-
+-	<refsynopsisdiv>
+-		<cmdsynopsis>
+-			<command>network zone new <replaceable>ZONE</replaceable> modem ...</command>
+-		</cmdsynopsis>
+-	</refsynopsisdiv>
+-
+-	<refsect1>
+-		<title>Description</title>
+-
+-		<para>
+-			The modem hook uses a serial interface to establish a PPP session to an
+-			Internet Service Provider. This method is used by 56k modems and mobile
+-			networks like LTE, GSM and 3G.
+-		</para>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Options</title>
+-
+-		<para>
+-			The following options are understood:
+-		</para>
+-
+-		<variablelist>
+-			<varlistentry>
+-				<term>
+-					<option>--device=<replaceable>DEVICE</replaceable></option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Sets the serial device that is used to connect.
+-					</para>
+-					<para>
+-						Example: /dev/ttyUSB0
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<option>--monitor-device=<replaceable>DEVICE</replaceable></option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						The optional monitor device is used to collect status
+-						information like signal strength and link quality while
+-						the connection is established.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<option>--imsi=<replaceable>IMSI</replaceable></option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Set the IMSI of the SIM card inside the wireless modem
+-						to identify it when it is plugged in at runtime.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<option>--pin=<replaceable>PIN</replaceable></option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						The PIN number of the SIM card.
+-					</para>
+-					<para>
+-						This will be used to unlock the SIM card when it
+-						is locked.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<option>--apn=<replaceable>APN</replaceable></option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Sets the Access Point Name (<replaceable>APN</replaceable>)
+-						that the modem connects to.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<option>--phone-number=<replaceable>PHONE-NUMBER</replaceable></option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Sets the phone number that is dialed by the modem when
+-						the connection is to be established.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<option>--username=<replaceable>USERNAME</replaceable></option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Sets the username for authentication.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<option>--password=<replaceable>PASSWORD</replaceable></option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Sets the password for authentication.
+-					</para>
+-					<para>
+-						Use the <option>--auth=</option> option to transmit it
+-						in a secure manner to the provider.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<option>--baudrate=<emphasis>921600</emphasis></option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						The baudrate for the serial link to the modem.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<option>--mtu=<emphasis>N</emphasis></option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Sets the default MTU of the PPP connection.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<option>--auth=[chap|pap]</option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Define the authentication method that is used to
+-						authenticate against your provider.
+-						The default is to use the provider's preference.
+-					</para>
+-					<itemizedlist>
+-						<listitem>
+-							<para>
+-								<emphasis>Challange-Handshake Authentication Protocol</emphasis>
+-								(chap) is the preferred secure method.
+-							</para>
+-						</listitem>
+-						<listitem>
+-							<para>
+-								<emphasis>Password Authentication Protocol</emphasis>
+-								(pap) sends the plaintext password to the authentication
+-								server which is the reason why it should be avoided to use PAP.
+-							</para>
+-						</listitem>
+-					</itemizedlist>
+-				</listitem>
+-			</varlistentry>
+-		</variablelist>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>See Also</title>
+-
+-		<para>
+-			<citerefentry>
+-				<refentrytitle>network</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>,
+-			<citerefentry>
+-				<refentrytitle>network-zone</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>
+-		</para>
+-	</refsect1>
+-</refentry>
+-- 
+2.39.2
+
diff --git a/network/patches/0089-man-Convert-network-zone-pppoe-8-to-asciidoc.patch b/network/patches/0089-man-Convert-network-zone-pppoe-8-to-asciidoc.patch
new file mode 100644
index 000000000..191195159
--- /dev/null
+++ b/network/patches/0089-man-Convert-network-zone-pppoe-8-to-asciidoc.patch
@@ -0,0 +1,266 @@ 
+From d4f0a25cd61fe6a7d0cb711e269e9b75925edf23 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 31 Mar 2019 17:42:10 +0200
+Subject: [PATCH 089/304] man: Convert network-zone-pppoe(8) to asciidoc
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ man/network-zone-pppoe.txt |  52 +++++++++++
+ man/network-zone-pppoe.xml | 186 -------------------------------------
+ 2 files changed, 52 insertions(+), 186 deletions(-)
+ create mode 100644 man/network-zone-pppoe.txt
+ delete mode 100644 man/network-zone-pppoe.xml
+
+diff --git a/man/network-zone-pppoe.txt b/man/network-zone-pppoe.txt
+new file mode 100644
+index 0000000..93b55f2
+--- /dev/null
++++ b/man/network-zone-pppoe.txt
+@@ -0,0 +1,52 @@
++= network-zone-pppoe(8)
++Michael Tremer <michael.tremer@ipfire.org>
++
++== NAME
++network-zone-pppoe - PPP over Ethernet
++
++== SYNOPSIS
++[verse]
++`network zone new ZONE pppoe ...`
++
++== DESCRIPTION
++The `pppoe` hook creates a PPPoE connection to your ISP.
++
++== OPTIONS
++The following options are understood:
++
++`--username=USERNAME`::
++	Sets the username for authentication.
++
++`--password=PASSWORD`::
++	Sets the password for authentication.
++	+
++	Use the `--auth=` option to transmit it in a secure manner to the provider.
++
++`--mtu=N`::
++	Sets the default MTU of the PPP connection.
++
++`--auth=[chap|pap]`::
++	Define the authentication method that is used to authenticate against your
++	provider. The default is to use the provider's preference.
++
++	* _Challange-Handshake Authentication Protocol_ (`chap`) is the preferred,
++	secure method.
++	* _Password Authentication Protocol_ (`pap`) sends the plaintext password
++	to the authentication server which is the reason why it should be avoided.
++
++`--access-concentrator=STRING`::
++	By this option, you may define the name of the access concentrator.
++
++`--service-name=STRING`::
++	By this option, you may define the service name.
++
++`--ipv6=[on|off]`::
++	By this option, you may enable or disable IPv6.
++
++`--prefix-delegation=[on|off]`::
++	By this option, you may enable or disable the delegation through your
++	provider of one IPv6 prefix to your system.
++
++== SEE ALSO
++link:network[8],
++link:network-zone[8]
+diff --git a/man/network-zone-pppoe.xml b/man/network-zone-pppoe.xml
+deleted file mode 100644
+index 36c4d0e..0000000
+--- a/man/network-zone-pppoe.xml
++++ /dev/null
+@@ -1,186 +0,0 @@
+-<?xml version="1.0"?>
+-<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
+-	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+-
+-<refentry id="network-zone-pppoe">
+-	<refentryinfo>
+-		<title>network-zone-pppoe</title>
+-		<productname>network</productname>
+-
+-		<authorgroup>
+-			<author>
+-				<contrib>Developer</contrib>
+-				<firstname>Michael</firstname>
+-				<surname>Tremer</surname>
+-				<email>michael.tremer@ipfire.org</email>
+-			</author>
+-		</authorgroup>
+-	</refentryinfo>
+-
+-	<refmeta>
+-		<refentrytitle>network-zone-pppoe</refentrytitle>
+-		<manvolnum>8</manvolnum>
+-	</refmeta>
+-
+-	<refnamediv>
+-		<refname>network-zone-pppoe</refname>
+-		<refpurpose>Network Configuration Control Program</refpurpose>
+-	</refnamediv>
+-
+-	<refsynopsisdiv>
+-		<cmdsynopsis>
+-			<command>network zone new <replaceable>ZONE</replaceable> pppoe ...</command>
+-		</cmdsynopsis>
+-	</refsynopsisdiv>
+-
+-	<refsect1>
+-		<title>Description</title>
+-
+-		<para>
+-			The pppoe hook creates a PPPoE connection to your ISP.
+-		</para>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Options</title>
+-
+-		<para>
+-			The following options are understood:
+-		</para>
+-
+-		<variablelist>
+-
+-			<varlistentry>
+-				<term>
+-					<option>--username=<replaceable>USERNAME</replaceable></option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Sets the username for authentication.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<option>--password=<replaceable>PASSWORD</replaceable></option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Sets the password for authentication.
+-					</para>
+-					<para>
+-						Use the <option>--auth=</option> option to transmit it
+-						in a secure manner to the provider.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<option>--mtu=<emphasis>N</emphasis></option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Sets the default MTU of the PPP connection.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<option>--auth=[chap|pap]</option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Define the authentication method that is used to
+-						authenticate against your provider.
+-						The default is to use the provider's preference.
+-					</para>
+-					<itemizedlist>
+-						<listitem>
+-							<para>
+-								<emphasis>Challange-Handshake Authentication Protocol</emphasis>
+-								(chap) is the preferred secure method.
+-							</para>
+-						</listitem>
+-						<listitem>
+-							<para>
+-								<emphasis>Password Authentication Protocol</emphasis>
+-								(pap) sends the plaintext password to the authentication
+-								server which is the reason why it should be avoided to use PAP.
+-							</para>
+-						</listitem>
+-					</itemizedlist>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<option>--access-concentrator=<replaceable>STRING</replaceable></option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						By this option, you may define the name of the access concentrator.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<option>--service-name=<replaceable>STRING</replaceable></option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						By this option, you may define the service name.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<option>--ipv6=[<emphasis>on</emphasis>|off]</option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						By this option, you may enable or disable IPv6
+-					</para>				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<option>--prefix-delegation=[<emphasis>on</emphasis>|off]</option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						 By this option, you may enable or disable the delegation through your provider of one IPv6 prefix to your system.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-		</variablelist>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>See Also</title>
+-
+-		<para>
+-			<citerefentry>
+-				<refentrytitle>network</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>,
+-			<citerefentry>
+-				<refentrytitle>network-zone</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>
+-		</para>
+-	</refsect1>
+-</refentry>
+-- 
+2.39.2
+
diff --git a/network/patches/0090-man-Convert-network-zone-wireless-8-to-asciidoc.patch b/network/patches/0090-man-Convert-network-zone-wireless-8-to-asciidoc.patch
new file mode 100644
index 000000000..e5c9cf7ff
--- /dev/null
+++ b/network/patches/0090-man-Convert-network-zone-wireless-8-to-asciidoc.patch
@@ -0,0 +1,167 @@ 
+From bc2b9c75cd5b73e1c2de5463fc1c0bc94b6dad93 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 31 Mar 2019 17:53:20 +0200
+Subject: [PATCH 090/304] man: Convert network-zone-wireless(8) to asciidoc
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ man/network-zone-wireless.txt |  32 ++++++++++
+ man/network-zone-wireless.xml | 107 ----------------------------------
+ 2 files changed, 32 insertions(+), 107 deletions(-)
+ create mode 100644 man/network-zone-wireless.txt
+ delete mode 100644 man/network-zone-wireless.xml
+
+diff --git a/man/network-zone-wireless.txt b/man/network-zone-wireless.txt
+new file mode 100644
+index 0000000..368ac2a
+--- /dev/null
++++ b/man/network-zone-wireless.txt
+@@ -0,0 +1,32 @@
++= network-zone-wireless(8)
++Michael Tremer <michael.tremer@ipfire.org>
++
++== NAME
++network-zone-wireless - Wireless Networks
++
++== SYNOPSIS
++[verse]
++`network zone new ZONE wireless ...`
++
++== DESCRIPTION
++The wireless hook uses a WiFi interface and connects to a wireless access point
++in station mode.
++
++Configuration and credentials for any wireless networks to connect to can be
++configured by using link:network-wireless-network[8].
++
++== OPTIONS
++The following options are understood:
++
++`--phy=PHY`::
++	Takes the MAC address or name of the physical layer that is used to create
++	a virtual wireless interface.
++
++`--address=ADDRESS`::
++	Define a MAC address that is used for the virtual wireless device. This
++	parameter is optional and a random MAC address will be generated when
++	omitted.
++
++== SEE ALSO
++link:network[8],
++link:network-zone[8]
+diff --git a/man/network-zone-wireless.xml b/man/network-zone-wireless.xml
+deleted file mode 100644
+index 0931245..0000000
+--- a/man/network-zone-wireless.xml
++++ /dev/null
+@@ -1,107 +0,0 @@
+-<?xml version="1.0"?>
+-<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
+-	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+-
+-<refentry id="network-zone-wireless">
+-	<refentryinfo>
+-		<title>network-zone-wireless</title>
+-		<productname>network</productname>
+-
+-		<authorgroup>
+-			<author>
+-				<contrib>Developer</contrib>
+-				<firstname>Michael</firstname>
+-				<surname>Tremer</surname>
+-				<email>michael.tremer@ipfire.org</email>
+-			</author>
+-		</authorgroup>
+-	</refentryinfo>
+-
+-	<refmeta>
+-		<refentrytitle>network-zone-wireless</refentrytitle>
+-		<manvolnum>8</manvolnum>
+-	</refmeta>
+-
+-	<refnamediv>
+-		<refname>network-zone-wireless</refname>
+-		<refpurpose>Network Configuration Control Program</refpurpose>
+-	</refnamediv>
+-
+-	<refsynopsisdiv>
+-		<cmdsynopsis>
+-			<command>network zone new <replaceable>ZONE</replaceable> wireless ...</command>
+-		</cmdsynopsis>
+-	</refsynopsisdiv>
+-
+-	<refsect1>
+-		<title>Description</title>
+-
+-		<para>
+-			The wireless hook uses a WiFi interface and connects to a
+-			wireless access point in station mode.
+-		</para>
+-
+-		<para>
+-			Configuration and credentials for any wireless networks to
+-			connect to can be configured by using the
+-			<command>network wireless network</command> command.
+-
+-			See <citerefentry>
+-				<refentrytitle>network-wireless-networks</refentrytitle>
+-				<manvolnum>8</manvolnum>,
+-			</citerefentry> for details.
+-		</para>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>Options</title>
+-
+-		<para>
+-			The following options are understood:
+-		</para>
+-
+-		<variablelist>
+-			<varlistentry>
+-				<term>
+-					<option>--phy=<replaceable>PHY</replaceable></option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Takes the MAC address or name of the physical layer
+-						that is used to create a virtual wireless interface.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-
+-			<varlistentry>
+-				<term>
+-					<option>--address=<replaceable>ADDRESS</replaceable></option>
+-				</term>
+-
+-				<listitem>
+-					<para>
+-						Define a MAC address that is used for the virtual
+-						wireless device. This parameter is optional and
+-						a random MAC address will be generated when omitted.
+-					</para>
+-				</listitem>
+-			</varlistentry>
+-		</variablelist>
+-	</refsect1>
+-
+-	<refsect1>
+-		<title>See Also</title>
+-
+-		<para>
+-			<citerefentry>
+-				<refentrytitle>network</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>,
+-			<citerefentry>
+-				<refentrytitle>network-zone</refentrytitle>
+-				<manvolnum>8</manvolnum>
+-			</citerefentry>
+-		</para>
+-	</refsect1>
+-</refentry>
+-- 
+2.39.2
+
diff --git a/network/patches/0091-man-Cleanup-XML-files.patch b/network/patches/0091-man-Cleanup-XML-files.patch
new file mode 100644
index 000000000..3cda095e2
--- /dev/null
+++ b/network/patches/0091-man-Cleanup-XML-files.patch
@@ -0,0 +1,43 @@ 
+From d746901bf5d4b4eb7591d1e009fad2960647e034 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 31 Mar 2019 20:01:00 +0200
+Subject: [PATCH 091/304] man: Cleanup XML files
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ Makefile.am | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 26f2e9c..d79b0f2 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -475,7 +475,8 @@ MANPAGES = \
+ 	man/network-zone-wireless.8
+ 
+ MANPAGES_TXT  = $(patsubst %.8,%.txt,$(MANPAGES))
+-MANPAGES_HTML = $(patsubst %.txt,%.html,$(MANPAGES))
++MANPAGES_HTML = $(patsubst %.txt,%.html,$(MANPAGES_TXT))
++MANPAGES_XML  = $(patsubst %.txt,%.xml,$(MANPAGES_TXT))
+ 
+ .PHONY: man
+ man: $(MANPAGES) $(MANPAGES_HTML)
+@@ -484,11 +485,13 @@ man_MANS = \
+ 	$(MANPAGES)
+ 
+ noinst_DATA += \
+-	$(MANPAGES_HTML)
++	$(MANPAGES_HTML) \
++	$(MANPAGES_XML)
+ 
+ CLEANFILES += \
+ 	$(man_MANS) \
+-	$(MANPAGES_HTML)
++	$(MANPAGES_HTML) \
++	$(MANPAGES_XML)
+ 
+ EXTRA_DIST += \
+ 	$(MANPAGES_TXT)
+-- 
+2.39.2
+
diff --git a/network/patches/0092-man-Make-distcheck-happy.patch b/network/patches/0092-man-Make-distcheck-happy.patch
new file mode 100644
index 000000000..18d763532
--- /dev/null
+++ b/network/patches/0092-man-Make-distcheck-happy.patch
@@ -0,0 +1,54 @@ 
+From 5d881996d1a5cf6211ae1fa0d4c4cd6fe6867f79 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 31 Mar 2019 20:08:00 +0200
+Subject: [PATCH 092/304] man: Make distcheck happy
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ Makefile.am | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index d79b0f2..0257b02 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -494,6 +494,7 @@ CLEANFILES += \
+ 	$(MANPAGES_XML)
+ 
+ EXTRA_DIST += \
++	man/asciidoc.conf \
+ 	$(MANPAGES_TXT)
+ 
+ XSLTPROC_FLAGS = \
+@@ -505,20 +506,23 @@ XSLTPROC_FLAGS = \
+ 	--stringparam man.copyright.section.enabled 1
+ 
+ XSLTPROC_COMMAND_MAN = \
+-	$(AM_V_XSLT)$(XSLTPROC) -o $@ $(XSLTPROC_FLAGS) \
++	$(AM_V_XSLT)$(MKDIR_P) $(dir $@) && \
++	$(XSLTPROC) -o $@ $(XSLTPROC_FLAGS) \
+ 		http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+ 
+ man/%.xml: man/%.txt man/asciidoc.conf
+-	$(AM_V_ASCIIDOC)$(ASCIIDOC) \
+-		-f man/asciidoc.conf \
++	$(AM_V_ASCIIDOC)$(MKDIR_P) $(dir $@) && \
++	$(ASCIIDOC) \
++		-f $(abs_srcdir)/man/asciidoc.conf \
+ 		-d manpage -b docbook -o $@ $<
+ 
+ man/%.8: man/%.xml
+ 	$(XSLTPROC_COMMAND_MAN)
+ 
+ man/%.html: man/%.txt man/asciidoc.conf
+-	$(AM_V_ASCIIDOC)$(ASCIIDOC) \
+-		-f man/asciidoc.conf \
++	$(AM_V_ASCIIDOC)$(MKDIR_P) $(dir $@) && \
++	$(ASCIIDOC) \
++		-f $(abs_srcdir)/man/asciidoc.conf \
+ 		-b html5 -a icons -a theme=flask -o $@ $<
+ 
+ # ------------------------------------------------------------------------------
+-- 
+2.39.2
+
diff --git a/network/patches/0093-man-Include-include-files-in-tarball.patch b/network/patches/0093-man-Include-include-files-in-tarball.patch
new file mode 100644
index 000000000..7270d85bc
--- /dev/null
+++ b/network/patches/0093-man-Include-include-files-in-tarball.patch
@@ -0,0 +1,28 @@ 
+From ff43523863b7ad7f50f5dfd4fdf80251ef01fa51 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 31 Mar 2019 20:14:34 +0200
+Subject: [PATCH 093/304] man: Include include files in tarball
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ Makefile.am | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/Makefile.am b/Makefile.am
+index 0257b02..6b77f0a 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -474,6 +474,10 @@ MANPAGES = \
+ 	man/network-zone-pppoe.8 \
+ 	man/network-zone-wireless.8
+ 
++EXTRA_DIST += \
++	man/include-color.txt \
++	man/include-description.txt
++
+ MANPAGES_TXT  = $(patsubst %.8,%.txt,$(MANPAGES))
+ MANPAGES_HTML = $(patsubst %.txt,%.html,$(MANPAGES_TXT))
+ MANPAGES_XML  = $(patsubst %.txt,%.xml,$(MANPAGES_TXT))
+-- 
+2.39.2
+
diff --git a/network/patches/0094-man-network-route-static-Fix-name.patch b/network/patches/0094-man-network-route-static-Fix-name.patch
new file mode 100644
index 000000000..c13af1a79
--- /dev/null
+++ b/network/patches/0094-man-network-route-static-Fix-name.patch
@@ -0,0 +1,26 @@ 
+From 71bdead694bdae2e40e8a9f99403b4ec2db77914 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 31 Mar 2019 20:17:09 +0200
+Subject: [PATCH 094/304] man: network-route-static: Fix name
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ man/network-route-static.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/man/network-route-static.txt b/man/network-route-static.txt
+index d4774b2..c6c3fea 100644
+--- a/man/network-route-static.txt
++++ b/man/network-route-static.txt
+@@ -2,7 +2,7 @@
+ Michael Tremer <michael.tremer@ipfire.org>
+ 
+ == NAME
+-network-route - Manage Static Routing
++network-route-static - Manage Static Routing
+ 
+ == SYNOPSIS
+ [verse]
+-- 
+2.39.2
+
diff --git a/network/patches/0095-Makefile-Add-target-to-upload-HTML-man-pages.patch b/network/patches/0095-Makefile-Add-target-to-upload-HTML-man-pages.patch
new file mode 100644
index 000000000..b6f262fdb
--- /dev/null
+++ b/network/patches/0095-Makefile-Add-target-to-upload-HTML-man-pages.patch
@@ -0,0 +1,28 @@ 
+From 2d2e96269516032b3bc4f2222067f6b82398a70a Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 1 Apr 2019 12:31:53 +0200
+Subject: [PATCH 095/304] Makefile: Add target to upload HTML man pages
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ Makefile.am | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/Makefile.am b/Makefile.am
+index 6b77f0a..955f2b7 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -529,6 +529,10 @@ man/%.html: man/%.txt man/asciidoc.conf
+ 		-f $(abs_srcdir)/man/asciidoc.conf \
+ 		-b html5 -a icons -a theme=flask -o $@ $<
+ 
++.PHONY: upload-man
++upload-man: $(MANPAGES_HTML)
++	rsync -avHz --delete --progress $(MANPAGES_HTML) ms@people.ipfire.org:/pub/man-pages/$(PACKAGE_NAME)/
++
+ # ------------------------------------------------------------------------------
+ 
+ substitutions = \
+-- 
+2.39.2
+
diff --git a/network/patches/0096-man-Do-not-generate-HTML-documentation-in-normal-bui.patch b/network/patches/0096-man-Do-not-generate-HTML-documentation-in-normal-bui.patch
new file mode 100644
index 000000000..b1c34b320
--- /dev/null
+++ b/network/patches/0096-man-Do-not-generate-HTML-documentation-in-normal-bui.patch
@@ -0,0 +1,29 @@ 
+From 95556ed6aa03a160df0ed6e929389c3d7283b87b Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 1 Apr 2019 12:45:55 +0200
+Subject: [PATCH 096/304] man: Do not generate HTML documentation in normal
+ build
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ Makefile.am | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 955f2b7..4c26a9d 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -488,10 +488,6 @@ man: $(MANPAGES) $(MANPAGES_HTML)
+ man_MANS = \
+ 	$(MANPAGES)
+ 
+-noinst_DATA += \
+-	$(MANPAGES_HTML) \
+-	$(MANPAGES_XML)
+-
+ CLEANFILES += \
+ 	$(man_MANS) \
+ 	$(MANPAGES_HTML) \
+-- 
+2.39.2
+
diff --git a/network/patches/0097-man-Fix-authorship-warnings.patch b/network/patches/0097-man-Fix-authorship-warnings.patch
new file mode 100644
index 000000000..317a63569
--- /dev/null
+++ b/network/patches/0097-man-Fix-authorship-warnings.patch
@@ -0,0 +1,205 @@ 
+From 6b1e747472ac60192146fc5ddba12b4a5d021194 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 1 Apr 2019 12:47:02 +0200
+Subject: [PATCH 097/304] man: Fix authorship warnings
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ man/network-route-static.txt             | 4 +++-
+ man/network-settings.txt                 | 1 -
+ man/network-vpn-security-policies.txt    | 4 +++-
+ man/network-zone-bridge.txt              | 4 +++-
+ man/network-zone-config-pppoe-server.txt | 3 +++
+ man/network-zone-ip-tunnel.txt           | 4 +++-
+ man/network-zone-modem.txt               | 4 +++-
+ man/network-zone-pppoe.txt               | 4 +++-
+ man/network-zone-wireless.txt            | 4 +++-
+ man/network-zone.txt                     | 4 +++-
+ 10 files changed, 27 insertions(+), 9 deletions(-)
+
+diff --git a/man/network-route-static.txt b/man/network-route-static.txt
+index c6c3fea..4ba97eb 100644
+--- a/man/network-route-static.txt
++++ b/man/network-route-static.txt
+@@ -1,5 +1,4 @@
+ = network-route-static(8)
+-Michael Tremer <michael.tremer@ipfire.org>
+ 
+ == NAME
+ network-route-static - Manage Static Routing
+@@ -63,6 +62,9 @@ The following commands are understood:
+ 	Packets matching this kind of route are silently discarded.
+ 	There will be no ICMP message sent to the source and no packet be forwarded.
+ 
++== AUTHORS
++Michael Tremer
++
+ == SEE ALSO
+ link:network[8],
+ link:network-route[8],
+diff --git a/man/network-settings.txt b/man/network-settings.txt
+index e77f038..a1c1ae3 100644
+--- a/man/network-settings.txt
++++ b/man/network-settings.txt
+@@ -1,5 +1,4 @@
+ = network-settings(8)
+-Michael Tremer <michael.tremer@ipfire.org>
+ 
+ == NAME
+ network-settings - Change global network settings
+diff --git a/man/network-vpn-security-policies.txt b/man/network-vpn-security-policies.txt
+index f9dc91a..3c843d7 100644
+--- a/man/network-vpn-security-policies.txt
++++ b/man/network-vpn-security-policies.txt
+@@ -1,5 +1,4 @@
+ = network-vpn-security-policies(8)
+-Michael Tremer <michael.tremer@ipfire.org>
+ 
+ == NAME
+ network-vpn-security-policies - Configure VPN Security Policies
+@@ -106,6 +105,9 @@ They are intended to provide good defaults for various situations.
+ 
+ System policies cannot be deleted.
+ 
++== AUTHORS
++Michael Tremer
++
+ == SEE ALSO
+ link:network[8],
+ link:network-vpn[8]
+diff --git a/man/network-zone-bridge.txt b/man/network-zone-bridge.txt
+index 2e4f839..46c78a6 100644
+--- a/man/network-zone-bridge.txt
++++ b/man/network-zone-bridge.txt
+@@ -1,5 +1,4 @@
+ = network-zone-bridge(8)
+-Michael Tremer <michael.tremer@ipfire.org>
+ 
+ == NAME
+ network-zone-bridge - Manage network zones
+@@ -50,6 +49,9 @@ Spanning Tree Protocol (802.1D) configuration options:
+ 	The STP priority sets the ranking of this network device within the network.
+ 	The bridge with the best rank (0 is best) will become the root bridge.
+ 
++== AUTHORS
++Michael Tremer
++
+ == SEE ALSO
+ link:network[8],
+ link:network-zone[8]
+diff --git a/man/network-zone-config-pppoe-server.txt b/man/network-zone-config-pppoe-server.txt
+index 72dff8e..7d83bd1 100644
+--- a/man/network-zone-config-pppoe-server.txt
++++ b/man/network-zone-config-pppoe-server.txt
+@@ -44,6 +44,9 @@ This command creates a PPPoE server that will assign an IP address from the
+ 
+   network zone net0 config create pppoe-server --subnet=192.168.0.0/16
+ 
++== AUTHORS
++Michael Tremer
++
+ == SEE ALSO
+ link:network[8],
+ link:network-zone[8],
+diff --git a/man/network-zone-ip-tunnel.txt b/man/network-zone-ip-tunnel.txt
+index cb30731..8e2f30a 100644
+--- a/man/network-zone-ip-tunnel.txt
++++ b/man/network-zone-ip-tunnel.txt
+@@ -1,5 +1,4 @@
+ = network-zone-ip-tunnel(8)
+-Michael Tremer <michael.tremer@ipfire.org>
+ 
+ == NAME
+ network-zone-ip-tunnel - Manage IP Tunnels
+@@ -30,6 +29,9 @@ The following options are understood:
+ 	+
+ 	This is optional and if unset a useful default will be used.
+ 
++== AUTHORS
++Michael Tremer
++
+ == SEE ALSO
+ link:network[8],
+ link:network-zone[8]
+diff --git a/man/network-zone-modem.txt b/man/network-zone-modem.txt
+index 6b09622..082bb21 100644
+--- a/man/network-zone-modem.txt
++++ b/man/network-zone-modem.txt
+@@ -1,5 +1,4 @@
+ = network-zone-modem(8)
+-Michael Tremer <michael.tremer@ipfire.org>
+ 
+ == NAME
+ network-zone-modem - Configure serial modems
+@@ -61,6 +60,9 @@ The following options are understood:
+ 	* _Password Authentication Protocol_ (`pap`) sends the plaintext password
+ 	to the authentication server which is the reason why it should be avoided.
+ 
++== AUTHORS
++Michael Tremer
++
+ == SEE ALSO
+ link:network[8],
+ link:network-zone[8]
+diff --git a/man/network-zone-pppoe.txt b/man/network-zone-pppoe.txt
+index 93b55f2..1a1c4f3 100644
+--- a/man/network-zone-pppoe.txt
++++ b/man/network-zone-pppoe.txt
+@@ -1,5 +1,4 @@
+ = network-zone-pppoe(8)
+-Michael Tremer <michael.tremer@ipfire.org>
+ 
+ == NAME
+ network-zone-pppoe - PPP over Ethernet
+@@ -47,6 +46,9 @@ The following options are understood:
+ 	By this option, you may enable or disable the delegation through your
+ 	provider of one IPv6 prefix to your system.
+ 
++== AUTHORS
++Michael Tremer
++
+ == SEE ALSO
+ link:network[8],
+ link:network-zone[8]
+diff --git a/man/network-zone-wireless.txt b/man/network-zone-wireless.txt
+index 368ac2a..531f8ff 100644
+--- a/man/network-zone-wireless.txt
++++ b/man/network-zone-wireless.txt
+@@ -1,5 +1,4 @@
+ = network-zone-wireless(8)
+-Michael Tremer <michael.tremer@ipfire.org>
+ 
+ == NAME
+ network-zone-wireless - Wireless Networks
+@@ -27,6 +26,9 @@ The following options are understood:
+ 	parameter is optional and a random MAC address will be generated when
+ 	omitted.
+ 
++== AUTHORS
++Michael Tremer
++
+ == SEE ALSO
+ link:network[8],
+ link:network-zone[8]
+diff --git a/man/network-zone.txt b/man/network-zone.txt
+index 88a1988..2c2c6f0 100644
+--- a/man/network-zone.txt
++++ b/man/network-zone.txt
+@@ -1,5 +1,4 @@
+ = network-zone(8)
+-Michael Tremer <michael.tremer@ipfire.org>
+ 
+ == NAME
+ network-zone - Manage network zones
+@@ -69,5 +68,8 @@ include::include-description.txt[]
+ 	The command will shut down the zone if it is up and start it again with
+ 	the new name. If the zone is not up it won't be started.
+ 
++== AUTHORS
++Michael Tremer
++
+ == SEE ALSO
+ link:network[8]
+-- 
+2.39.2
+
diff --git a/network/patches/0098-man-Make-syntax-format-more-similar-across-files.patch b/network/patches/0098-man-Make-syntax-format-more-similar-across-files.patch
new file mode 100644
index 000000000..5752c844c
--- /dev/null
+++ b/network/patches/0098-man-Make-syntax-format-more-similar-across-files.patch
@@ -0,0 +1,583 @@ 
+From 39cfece88a2978f946e1713fbf1e2be3faf124d6 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 1 Apr 2019 19:49:01 +0200
+Subject: [PATCH 098/304] man: Make syntax format more similar across files
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ man/firewall-settings.txt          | 29 +++++------
+ man/network-device.txt             | 37 ++++++--------
+ man/network-dhcp.txt               | 35 ++++++--------
+ man/network-dns-server.txt         | 50 ++++++++-----------
+ man/network-performance-tuning.txt | 17 +++----
+ man/network-port.txt               | 77 ++++++++++++++----------------
+ man/network-quick-start.txt        | 15 ++----
+ man/network-route-static.txt       | 18 +++----
+ 8 files changed, 116 insertions(+), 162 deletions(-)
+
+diff --git a/man/firewall-settings.txt b/man/firewall-settings.txt
+index 20038e3..81c9bd9 100644
+--- a/man/firewall-settings.txt
++++ b/man/firewall-settings.txt
+@@ -1,30 +1,25 @@
+-firewall-settings(8)
+-====================
++= firewall-settings(8)
+ 
+-NAME
+-----
++== NAME
+ firewall-settings - Global firewall settings
+ 
+-SYNOPSIS
+---------
++== SYNOPSIS
+ [verse]
+-'firewall settings'
+-'firewall settings' KEY=VALUE ...
++`firewall settings`
++`firewall settings` KEY=VALUE ...
+ 
+-DESCRIPTION
+------------
++== DESCRIPTION
+ This command is used to set global firewall settings.
+ Please have a look at the individual man pages for more options.
+ 
+-COMMANDS
+---------
++== COMMANDS
+ If no argument is given, the configuration will be dumped to the console.
+ 
+ You may set a new value by adding the variable name and the new value to
+ the command line.
+ 
+-SETTINGS
+---------
++== SETTINGS
++
+ === CONNTRACK_MAX_CONNECTIONS = 16384
+ Limits the max. number of simultaneous connections.
+ 
+@@ -88,10 +83,8 @@ Some routers on the Internet still do not support ECN properly.
+ When this setting is disabled, ECN is only advertised
+ when asked for.
+ 
+-AUTHORS
+--------
++== AUTHORS
+ Michael Tremer
+ 
+-SEE ALSO
+---------
++== SEE ALSO
+ link:firewall[8]
+diff --git a/man/network-device.txt b/man/network-device.txt
+index 4f1c1b0..d70536e 100644
+--- a/man/network-device.txt
++++ b/man/network-device.txt
+@@ -1,61 +1,54 @@
+-network-device(8)
+-=================
++= network-device(8)
+ 
+-NAME
+-----
++== NAME
+ network-device - Controls network devices
+ 
+-SYNOPSIS
+---------
++== SYNOPSIS
+ [verse]
+-'network device' [<options>] <command> ...
++`network device` COMMAND ...
+ 
+-DESCRIPTION
+------------
+-The 'network device' command shows low-level status information
++== DESCRIPTION
++The `network device` command shows low-level status information
+ of network devices and other things.
+ 
+-COMMANDS
+---------
++== COMMANDS
+ The following commands are understood:
+ 
+-'list'::
++`list`::
+ 	This command shows a list of all device that are currently present
+ 	on this system. This includes PHYs and serial devices as well.
+ 
+-'DEVICE discover'::
++`DEVICE discover`::
+ 	Runs a discovery for many hooks on the given device.
+ 
+ 	This will check if the hook can find for example a DHCP server or
+ 	DSLAM and thus predict for what the device should be used.
+ 
+-'DEVICE identify'::
++`DEVICE identify`::
+ 	This command only works for Ethernet adapters and will make those
+ 	that support this feature flash for a few seconds.
+ 
+ 	It is handy to find the right device to put the cable in.
+ 
+-'DEVICE monitor'::
++`DEVICE monitor`::
+ 	This command creates a monitor interface for wireless modules.
+ 
+ 	An instance of link:tcpdump[8] will be started and show all
+ 	frames that are sent or received on the 802.11 layer (layer 2).
+ 
+-'DEVICE status'::
++`DEVICE status`::
+ 	This will show you very detailed information about the given device.
+ 
+-'DEVICE unlock'::
++`DEVICE unlock`::
+ 	This command will unlock the SIM card in a modem.
+ 	Only serial devices are supported which are the most 4G or 3G modems.
+ 
+ 	For the PIN or PUK code, the user will be prompted.
+ 
+-AUTHORS
+--------
++== AUTHORS
+ Michael Tremer
+ 
+-SEE ALSO
+---------
++== SEE ALSO
+ link:network[8]
+ link:network-port[8]
+ link:network-zone[8]
+diff --git a/man/network-dhcp.txt b/man/network-dhcp.txt
+index bcb768e..11e5fb4 100644
+--- a/man/network-dhcp.txt
++++ b/man/network-dhcp.txt
+@@ -1,44 +1,37 @@
+-network-dhcp(8)
+-===============
++= network-dhcp(8)
+ 
+-NAME
+-----
++== NAME
+ network-dhcp - Controls the DHCP Server
+ 
+-SYNOPSIS
+---------
++== SYNOPSIS
+ [verse]
+-'network dhcpv6' <command> ...
+-'network dhcpv4' <command> ...
++`network dhcpv6` COMMAND ...
++`network dhcpv4` COMMAND ...
+ 
+-DESCRIPTION
+------------
++== DESCRIPTION
+ With help of the DHCP commands it is possible to configure DHCP
+ servers for IPv6 and IPv4.
+ 
+-COMMANDS
+---------
++== COMMANDS
+ The following commands are understood:
+ 
+-'start'::
++`start`::
+ 	Starts the DHCP server.
+ 
+-'stop'::
++`stop`::
+ 	Stops the DHCP server.
+ 
+-'restart'::
++`restart`::
+ 	Restarts the DHCP server.
+ 
+-'reload'::
++`reload`::
+ 	Reload the DHCP server configuration.
+ 
+-'subnet ...'::
++`subnet ...`::
+ 	TODO
+ 
+-AUTHORS
+--------
++== AUTHORS
+ Michael Tremer
+ 
+-SEE ALSO
+---------
++== SEE ALSO
+ link:network[8]
+diff --git a/man/network-dns-server.txt b/man/network-dns-server.txt
+index bd01ca7..f5019ce 100644
+--- a/man/network-dns-server.txt
++++ b/man/network-dns-server.txt
+@@ -1,75 +1,67 @@
+-network-dns-server(8)
+-=====================
++= network-dns-server(8)
+ 
+-NAME
+-----
++== NAME
+ network-dns-server - Controls the DNS settings
+ 
+-SYNOPSIS
+---------
++== SYNOPSIS
+ [verse]
+-'network dns-server' add SERVER [PRIORITY]
+-'network dns-server' remove SERVER
+-'network dns-server' list
+-'network dns-server' update
++`network dns-server add` SERVER [PRIORITY]
++`network dns-server remove` SERVER
++`network dns-server list`
++`network dns-server update`
+ 
+-DESCRIPTION
+------------
++== DESCRIPTION
+ With this command, you will be able to configure the local DNS
+ configuration.
+ 
+ You may add and remove DNS servers as well as view the settings.
+ 
+-COMMANDS
+---------
++== COMMANDS
+ The following commands are understood:
+ 
+-'add' SERVER [PRIORITY]::
++`add SERVER [PRIORITY]`::
+ 	A new DNS server may be added to the list by the
+ 	'add' command.
+ 	A priority that will rank the server my optionally be given.
+-
++	+
+ 	NOTE: SERVER must be a valid IP address and PRIORITY
+ 	must be a positive number.
+ 	The smaller this number, the higher is is the rank of
+ 	the server.
+ 
+-'remove' SERVER::
++`remove SERVER`::
+ 	The given server will be removed from the list of DNS servers.
+ 
+-'list'::
++`list`::
+ 	Shows a list of all servers that are currently in use.
+ 
+-'update'::
++`update`::
+ 	This command will re-create the system's configuration
+ 	files. It should not be required to use this command
+ 	very often.
+ 
+-SETTINGS
+---------
++== SETTINGS
+ The following settings may be set using link:network-settings[8]:
+ 
+-'DNS_USE_LOCAL_RESOLVER = [true|false]'::
++`DNS_USE_LOCAL_RESOLVER = [true|false]`::
+ 	This option defines whether the local DNS resolver should
+ 	be used or not.
+-
++	+
+ 	Basically, the option adds localhost to the list of nameservers
+ 	in link:resolv.conf[5].
+ 
+-'DNS_SEARCH_DOMAINS ='::
++`DNS_SEARCH_DOMAINS =`::
+ 	This setting configures the search domains for DNS queries
+ 	made by the local system.
+ 
+-'DNS_RANDOMIZE = [true|false]'::
++`DNS_RANDOMIZE = [true|false]`::
+ 	This option will break the DNS server ranks and will query
+ 	them in a random order which is useful to load-balance
+ 	multiple DNS servers.
+ 
+-AUTHORS
+--------
++== AUTHORS
+ Michael Tremer
+ 
+-SEE ALSO
+---------
++== SEE ALSO
+ link:network[8],
+ link:network-settings[8]
+diff --git a/man/network-performance-tuning.txt b/man/network-performance-tuning.txt
+index 763ee21..4672bbc 100644
+--- a/man/network-performance-tuning.txt
++++ b/man/network-performance-tuning.txt
+@@ -1,12 +1,9 @@
+-network-performance-tuning(8)
+-=============================
++= network-performance-tuning(8)
+ 
+-NAME
+-----
++== NAME
+ network-performance-tuning - Performance Tuning for Networking
+ 
+-DESCRIPTION
+------------
++== DESCRIPTION
+ This page contains a summary of some performance tuning techniques
+ that this system is using.
+ 
+@@ -22,12 +19,10 @@ reducing network latency and quite possibly increasing throughput.
+ The algorithm is trying to balance all network controllers across
+ all processors.
+ 
+-See /proc/interrups for the distribution of interrupts. 
++See /proc/interrupts for the distribution of interrupts.
+ 
+-AUTHORS
+--------
++== AUTHORS
+ Michael Tremer
+ 
+-SEE ALSO
+---------
++== SEE ALSO
+ link:network[8]
+diff --git a/man/network-port.txt b/man/network-port.txt
+index 0c26f33..54cd58c 100644
+--- a/man/network-port.txt
++++ b/man/network-port.txt
+@@ -1,29 +1,25 @@
+-network-port(8)
+-===============
++= network-port(8)
+ 
+-NAME
+-----
++== NAME
+ network-port - Controls Network Ports
+ 
+-SYNOPSIS
+---------
++== SYNOPSIS
+ [verse]
+-'network port' new HOOK ...
+-'network port' destroy PORT
+-'network port' PORT color set <color>
+-'network port' PORT color reset
+-'network port' PORT create
+-'network port' PORT description edit
+-'network port' PORT description show
+-'network port' PORT down
+-'network port' PORT edit ...
+-'network port' PORT identify
+-'network port' PORT remove
+-'network port' PORT status
+-'network port' PORT up
+-
+-DESCRIPTION
+------------
++`network port new HOOK ...`
++`network port destroy PORT`
++`network port PORT color set COLOR`
++`network port PORT color reset`
++`network port PORT create`
++`network port PORT description edit`
++`network port PORT description show`
++`network port PORT down`
++`network port PORT edit ...`
++`network port PORT identify`
++`network port PORT remove`
++`network port PORT status`
++`network port PORT up`
++
++== DESCRIPTION
+ This command creates, deletes, changes and views the configuration
+ and status of ports.
+ 
+@@ -32,15 +28,14 @@ to an other network. It connects those and zones together.
+ The 'network device' command shows status information of network devices
+ and other things.
+ 
+-COMMANDS
+---------
++== COMMANDS
+ The following commands are understood:
+ 
+-'new' HOOK ...::
++`new HOOK ...`::
+ 	A new port may be created with this command.
+ 	HOOK must be a valid hook which may require more options.
+ 
+-'destroy' PORT::
++`destroy PORT`::
+ 	Destroys the port PORT.
+ 	The port is removed from any zones it is attached to and shut down.
+ 
+@@ -48,49 +43,47 @@ For all other commands, the name of the port needs to be passed first:
+ 
+ include::include-color.txt[]
+ 
+-'create'::
++`create`::
+ 	This will create devices for the existing port PORT.
+-
++	+
+ 	This does not create a new port. It will just create the (possibly
+ 	virtual) interface this port (i.e. create an interface for a WiFi
+ 	module or a VLAN device).
+-
+-	The interface is not brought up. Use the 'up' command to do that.
++	+
++	The interface is not brought up. Use the `up` command to do that.
+ 
+ include::include-description.txt[]
+ 
+-'down'::
++`down`::
+ 	Shuts down the port.
+ 
+-'edit'::
++`edit`::
+ 	This command can be used to alter the configuration of a port.
+ 	Consult the documentation of the port hook to find out what is supported.
+ 
+-'identify'::
++`identify`::
+ 	This command will make the port flash for a few seconds
+ 	so that you can identify the correct network adapters
+ 	in the system.
+-
++	+
+ 	This is not supported by all network adapters.
+ 
+-'remove'::
++`remove`::
+ 	This will remove an existing PORT.
+-
++	+
+ 	This does not destroy the port. It inverses the operation performed
+ 	by the 'create' command.
+ 
+-'status'::
++`status`::
+ 	This will show some detailed information about the status
+ 	of the specified port.
+ 
+-'up'::
++`up`::
+ 	Brings up the port. It has to be created first.
+ 
+-AUTHORS
+--------
++== AUTHORS
+ Michael Tremer
+ 
+-SEE ALSO
+---------
++== SEE ALSO
+ link:network[8],
+ link:network-zone[8]
+diff --git a/man/network-quick-start.txt b/man/network-quick-start.txt
+index 02ebfe0..1ab5866 100644
+--- a/man/network-quick-start.txt
++++ b/man/network-quick-start.txt
+@@ -1,12 +1,9 @@
+-network-quick-start(8)
+-======================
++= network-quick-start(8)
+ 
+-NAME
+-----
++== NAME
+ network-quick-start - Quick Start Guide for Networking
+ 
+-DESCRIPTION
+------------
++== DESCRIPTION
+ The link:network[8] is a very powerful command that allows you to configure
+ the entire networking stack.
+ Unfortunately that makes it quite complicated to use as well.
+@@ -80,12 +77,10 @@ The entire network can be restarted by running:
+ # network restart
+ ------------
+ 
+-AUTHORS
+--------
++== AUTHORS
+ Michael Tremer
+ 
+-SEE ALSO
+---------
++== SEE ALSO
+ link:network[8],
+ link:network-device[8],
+ link:network-port[8],
+diff --git a/man/network-route-static.txt b/man/network-route-static.txt
+index 4ba97eb..43a1277 100644
+--- a/man/network-route-static.txt
++++ b/man/network-route-static.txt
+@@ -5,10 +5,10 @@ network-route-static - Manage Static Routing
+ 
+ == SYNOPSIS
+ [verse]
+-'network route static' COMMAND ...
+-'network route static add' NETWORK [--gateway=GATEWAY,--unreachable,--prohibit,--blackhole] [--mtu=MTU]
+-'network route static remove' NETWORK
+-'network route static list' [--protocol=ipv6|ipv4]
++`network route static COMMAND ...`
++`network route static add NETWORK [--gateway=GATEWAY,--unreachable,--prohibit,--blackhole] [--mtu=MTU]`
++`network route static remove NETWORK`
++`network route static list` [--protocol=ipv6|ipv4]`
+ 
+ == DESCRIPTION
+ This command helps to manage routes.
+@@ -20,14 +20,14 @@ The following commands are understood:
+ 	A new route may be added by the 'add' command. It is required to pass a
+ 	valid network prefix NETWORK, which can be either IPv6 or IPv4.
+ 	+
+-	For unicast routes, the '--gateway=GATEWAY' option must be passed, where
++	For unicast routes, the `--gateway=GATEWAY` option must be passed, where
+ 	GATEWAY is a valid IP address of the same protocol type as the network
+ 	prefix is.
+ 	+
+-	Use '--unreachable', '--prohibit', '--blackhole' can be used to create of
++	Use `--unreachable`, `--prohibit`, `--blackhole` can be used to create of
+ 	that type. See ROUTE TYPES below for more information about these options.
+ 	+
+-	The optional '--mtu=MTU' parameter defines the MTU along the path to the
++	The optional `--mtu=MTU` parameter defines the MTU along the path to the
+ 	destination and must be an integer number. This will show you very
+ 	detailed information about the given device.
+ 
+@@ -39,7 +39,7 @@ The following commands are understood:
+ 'list'::
+ 	Shows a list of all configured routes.
+ 	+
+-	Output can be filtered by passing --protocol=[ipv6|ipv4].
++	Output can be filtered by passing `--protocol=[ipv6|ipv4]`.
+ 
+ == ROUTE TYPES
+ 
+@@ -47,7 +47,7 @@ The following commands are understood:
+ 'unicast'::
+ 	A unicast route is the most common route in routing tables. It is a route to
+ 	a destination network address, which describes the path to the destination.
+-	Use the '--gateway=GATEWAY' option to create such a route.
++	Use the `--gateway=GATEWAY` option to create such a route.
+ 
+ 'unreachable'::
+ 	When a route is determined and the routing decision process returns a
+-- 
+2.39.2
+
diff --git a/network/patches/0099-hooks-Add-overwritable-function-to-determine-the-por.patch b/network/patches/0099-hooks-Add-overwritable-function-to-determine-the-por.patch
new file mode 100644
index 000000000..09b95df3c
--- /dev/null
+++ b/network/patches/0099-hooks-Add-overwritable-function-to-determine-the-por.patch
@@ -0,0 +1,53 @@ 
+From d673165c5456e29013def29ed1fa9f202110665a Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 3 Jun 2019 11:50:13 +0200
+Subject: [PATCH 099/304] hooks: Add overwritable function to determine the
+ port name
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/header-port | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/src/header-port b/src/header-port
+index d75fdd8..7d0b272 100644
+--- a/src/header-port
++++ b/src/header-port
+@@ -68,6 +68,12 @@ hook_hotplug_rename_by_address() {
+ 	return ${EXIT_ERROR}
+ }
+ 
++# Returns the suggested name of the port
++hook_find_port_name() {
++	assert isset HOOK_PORT_PATTERN
++	port_find_free "${HOOK_PORT_PATTERN}"
++}
++
+ hook_default_new() {
+ 	local ${HOOK_SETTINGS[*]}
+ 
+@@ -78,14 +84,16 @@ hook_default_new() {
+ 		return ${EXIT_ERROR}
+ 	fi
+ 
+-	assert isset HOOK_PORT_PATTERN
+-
+-	local port=$(port_find_free ${HOOK_PORT_PATTERN})
++	# Determine a name for this port
++	local port="$(hook_find_port_name)"
+ 	assert isset port
+ 
+-	port_settings_write "${port}" ${HOOK_SETTINGS[*]}
++	# Save settings
++	if ! port_settings_write "${port}" ${HOOK_SETTINGS[*]}; then
++		return ${EXIT_ERROR}
++	fi
+ 
+-	exit ${EXIT_OK}
++	return ${EXIT_OK}
+ }
+ 
+ hook_new() {
+-- 
+2.39.2
+
diff --git a/network/patches/0100-vlan-Convert-hook-to-use-parse_cmdline-function.patch b/network/patches/0100-vlan-Convert-hook-to-use-parse_cmdline-function.patch
new file mode 100644
index 000000000..3a6445824
--- /dev/null
+++ b/network/patches/0100-vlan-Convert-hook-to-use-parse_cmdline-function.patch
@@ -0,0 +1,76 @@ 
+From 96045e9c044a709407b40df4145011e335929a3e Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 3 Jun 2019 11:55:35 +0200
+Subject: [PATCH 100/304] vlan: Convert hook to use parse_cmdline function
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/hooks/ports/vlan | 42 ++++++++----------------------------------
+ 1 file changed, 8 insertions(+), 34 deletions(-)
+
+diff --git a/src/hooks/ports/vlan b/src/hooks/ports/vlan
+index f511986..69f5144 100644
+--- a/src/hooks/ports/vlan
++++ b/src/hooks/ports/vlan
+@@ -51,7 +51,14 @@ hook_check_settings() {
+ 	done
+ }
+ 
+-hook_new() {
++hook_find_port_name() {
++	assert isset PARENT_DEVICE
++	assert isset TAG
++
++	print "${PARENT_DEVICE}${VLAN_PORT_INTERFIX}${TAG}"
++}
++
++hook_parse_cmdline() {
+ 	while [ $# -gt 0 ]; do
+ 		case "${1}" in
+ 			--parent-device=*)
+@@ -63,42 +70,9 @@ hook_new() {
+ 			--tag=*)
+ 				TAG=$(cli_get_val "${1}")
+ 				;;
+-			*)
+-				warning "Unknown argument '${1}'"
+-				;;
+-		esac
+-		shift
+-	done
+-
+-	local port="${PARENT_DEVICE}${VLAN_PORT_INTERFIX}${TAG}"
+-
+-	port_settings_write "${port}"
+-
+-	exit ${EXIT_OK}
+-}
+-
+-hook_edit() {
+-	local port=${1}
+-	assert isset port
+-	shift
+-
+-	port_settings_read "${port}"
+-
+-	while [ $# -gt 0 ]; do
+-		case "${1}" in
+-			--address=*)
+-				ADDRESS=$(cli_get_val "${1}")
+-				;;
+-			*)
+-				warning "Unknown argument '${1}'"
+-				;;
+ 		esac
+ 		shift
+ 	done
+-
+-	port_settings_write "${port}"
+-
+-	exit ${EXIT_OK}	
+ }
+ 
+ hook_create() {
+-- 
+2.39.2
+
diff --git a/network/patches/0101-vlan-Validate-and-always-set-MAC-address.patch b/network/patches/0101-vlan-Validate-and-always-set-MAC-address.patch
new file mode 100644
index 000000000..75a5310ee
--- /dev/null
+++ b/network/patches/0101-vlan-Validate-and-always-set-MAC-address.patch
@@ -0,0 +1,42 @@ 
+From abb655547c79f72b97451c02ba285b13c68e5a2a Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 3 Jun 2019 12:00:02 +0200
+Subject: [PATCH 101/304] vlan: Validate and always set MAC address
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/hooks/ports/vlan | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/src/hooks/ports/vlan b/src/hooks/ports/vlan
+index 69f5144..0147e54 100644
+--- a/src/hooks/ports/vlan
++++ b/src/hooks/ports/vlan
+@@ -66,6 +66,12 @@ hook_parse_cmdline() {
+ 				;;
+ 			--address=*)
+ 				ADDRESS=$(cli_get_val "${1}")
++
++				# Validate address
++				if ! mac_is_valid "${ADDRESS}"; then
++					error "Invalid MAC address given: ${ADDRESS}"
++					return ${EXIT_CONF_ERROR}
++				fi
+ 				;;
+ 			--tag=*)
+ 				TAG=$(cli_get_val "${1}")
+@@ -73,6 +79,11 @@ hook_parse_cmdline() {
+ 		esac
+ 		shift
+ 	done
++
++	# Generate a random MAC address if none given
++	if ! isset ADDRESS; then
++		ADDRESS="$(mac_generate)"
++	fi
+ }
+ 
+ hook_create() {
+-- 
+2.39.2
+
diff --git a/network/patches/0102-vlan-Fail-when-unknown-command-line-parameters-are-b.patch b/network/patches/0102-vlan-Fail-when-unknown-command-line-parameters-are-b.patch
new file mode 100644
index 000000000..28c850b34
--- /dev/null
+++ b/network/patches/0102-vlan-Fail-when-unknown-command-line-parameters-are-b.patch
@@ -0,0 +1,29 @@ 
+From 0cf39f2d5178f624161b8c4329140bd00b06019c Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 3 Jun 2019 12:02:15 +0200
+Subject: [PATCH 102/304] vlan: Fail when unknown command line parameters are
+ being passed
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/hooks/ports/vlan | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/hooks/ports/vlan b/src/hooks/ports/vlan
+index 0147e54..39dbfff 100644
+--- a/src/hooks/ports/vlan
++++ b/src/hooks/ports/vlan
+@@ -76,6 +76,10 @@ hook_parse_cmdline() {
+ 			--tag=*)
+ 				TAG=$(cli_get_val "${1}")
+ 				;;
++			-*)
++				error "Unknown argument '${1}'"
++				return ${EXIT_CONF_ERROR}
++				;;
+ 		esac
+ 		shift
+ 	done
+-- 
+2.39.2
+
diff --git a/network/patches/0103-vlan-Rename-PARENT_DEVICE-to-PARENT_PORT.patch b/network/patches/0103-vlan-Rename-PARENT_DEVICE-to-PARENT_PORT.patch
new file mode 100644
index 000000000..897e75be7
--- /dev/null
+++ b/network/patches/0103-vlan-Rename-PARENT_DEVICE-to-PARENT_PORT.patch
@@ -0,0 +1,102 @@ 
+From a2f35a67d83bd3a4a4438c2b7b8cbc2ee0002e38 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 3 Jun 2019 12:08:05 +0200
+Subject: [PATCH 103/304] vlan: Rename PARENT_DEVICE to PARENT_PORT
+
+It technically is a port
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/hooks/ports/vlan             | 26 ++++++++++++++++----------
+ test/nitsi/test/port-vlan/recipe |  2 +-
+ 2 files changed, 17 insertions(+), 11 deletions(-)
+
+diff --git a/src/hooks/ports/vlan b/src/hooks/ports/vlan
+index 39dbfff..f19eda4 100644
+--- a/src/hooks/ports/vlan
++++ b/src/hooks/ports/vlan
+@@ -23,14 +23,14 @@
+ 
+ HOOK_SETTINGS=(
+ 	"ADDRESS"
+-	"PARENT_DEVICE"
++	"PARENT_PORT"
+ 	"TAG"
+ )
+ 
+-PORT_PARENTS_VAR="PARENT"
++PORT_PARENTS_VAR="PARENT_PORT"
+ 
+ hook_check_settings() {
+-	assert isset PARENT_DEVICE
++	assert isset PARENT_PORT
+ 	assert isinteger TAG
+ 
+ 	if isset ADDRESS; then
+@@ -52,18 +52,15 @@ hook_check_settings() {
+ }
+ 
+ hook_find_port_name() {
+-	assert isset PARENT_DEVICE
++	assert isset PARENT_PORT
+ 	assert isset TAG
+ 
+-	print "${PARENT_DEVICE}${VLAN_PORT_INTERFIX}${TAG}"
++	print "${PARENT_PORT}${VLAN_PORT_INTERFIX}${TAG}"
+ }
+ 
+ hook_parse_cmdline() {
+ 	while [ $# -gt 0 ]; do
+ 		case "${1}" in
+-			--parent-device=*)
+-				PARENT_DEVICE=$(cli_get_val "${1}")
+-				;;
+ 			--address=*)
+ 				ADDRESS=$(cli_get_val "${1}")
+ 
+@@ -73,10 +70,19 @@ hook_parse_cmdline() {
+ 					return ${EXIT_CONF_ERROR}
+ 				fi
+ 				;;
++			--port=*)
++				PARENT_PORT=$(cli_get_val "${1}")
++
++				# Check if PARENT_PORT exists
++				if ! port_exists "${PARENT_PORT}"; then
++					error "Port '${PARENT_PORT}' does not exist"
++					return ${EXIT_CONF_ERROR}
++				fi
++				;;
+ 			--tag=*)
+ 				TAG=$(cli_get_val "${1}")
+ 				;;
+-			-*)
++			*)
+ 				error "Unknown argument '${1}'"
+ 				return ${EXIT_CONF_ERROR}
+ 				;;
+@@ -100,7 +106,7 @@ hook_create() {
+ 	port_settings_read "${port}"
+ 
+ 	# Create the VLAN device
+-	vlan_create "${port}" "${PARENT_DEVICE}" "${TAG}" "${ADDRESS}"
++	vlan_create "${port}" "${PARENT_PORT}" "${TAG}" "${ADDRESS}"
+ 
+ 	exit ${EXIT_OK}
+ }
+diff --git a/test/nitsi/test/port-vlan/recipe b/test/nitsi/test/port-vlan/recipe
+index d41377b..7a99251 100644
+--- a/test/nitsi/test/port-vlan/recipe
++++ b/test/nitsi/test/port-vlan/recipe
+@@ -17,7 +17,7 @@ bob: network zone upl0 config new static 192.168.100.102/24
+ all: network status
+ 
+ # Create a vlan device with parent port attached to net1
+-all: network port new vlan --parent-device=${p_net1} --tag=42
++all: network port new vlan --port="${p_net1}" --tag=42
+ all: network zone upl0 port attach "${p_net1}v42"
+ 
+ # Test if the vlan works by pinging bob
+-- 
+2.39.2
+
diff --git a/network/patches/0104-vlan-Check-if-parent-device-exists-before-bringing-i.patch b/network/patches/0104-vlan-Check-if-parent-device-exists-before-bringing-i.patch
new file mode 100644
index 000000000..6f4ebeded
--- /dev/null
+++ b/network/patches/0104-vlan-Check-if-parent-device-exists-before-bringing-i.patch
@@ -0,0 +1,35 @@ 
+From 4776723194ad4d1ba75d1b373c1892e44ddcbf97 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 3 Jun 2019 12:15:01 +0200
+Subject: [PATCH 104/304] vlan: Check if parent device exists before bringing
+ it up
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/hooks/ports/vlan | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/hooks/ports/vlan b/src/hooks/ports/vlan
+index f19eda4..98178e3 100644
+--- a/src/hooks/ports/vlan
++++ b/src/hooks/ports/vlan
+@@ -103,7 +103,15 @@ hook_create() {
+ 	device_exists "${port}" && exit ${EXIT_OK}
+ 
+ 	# Read configruation
+-	port_settings_read "${port}"
++	if ! port_settings_read "${port}"; then
++		return ${EXIT_ERROR}
++	fi
++
++	# Check if the parent port exists
++	if ! port_exists "${PARENT_PORT}"; then
++		error "Port '${PARENT_PORT}' does not exist"
++		return ${EXIT_ERROR}
++	fi
+ 
+ 	# Create the VLAN device
+ 	vlan_create "${port}" "${PARENT_PORT}" "${TAG}" "${ADDRESS}"
+-- 
+2.39.2
+
diff --git a/network/patches/0105-vlan-Simplify-vlan_remove.patch b/network/patches/0105-vlan-Simplify-vlan_remove.patch
new file mode 100644
index 000000000..b6d1d2bf1
--- /dev/null
+++ b/network/patches/0105-vlan-Simplify-vlan_remove.patch
@@ -0,0 +1,32 @@ 
+From 23ddd3765e344e06f379a5ccc5c2cfcbfca9c7b7 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 3 Jun 2019 12:15:41 +0200
+Subject: [PATCH 105/304] vlan: Simplify vlan_remove()
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.vlan | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/src/functions/functions.vlan b/src/functions/functions.vlan
+index 97028b0..d83e3ad 100644
+--- a/src/functions/functions.vlan
++++ b/src/functions/functions.vlan
+@@ -88,13 +88,7 @@ vlan_create() {
+ }
+ 
+ vlan_remove() {
+-	local device=${1}
+-	assert isset device
+-
+-	# Set down device (if not already done).
+-	device_set_down ${device}
+-
+-	device_delete ${device}
++	device_delete "$@"
+ }
+ 
+ vlan_get_parent() {
+-- 
+2.39.2
+
diff --git a/network/patches/0106-vlan-Refactor-vlan_create.patch b/network/patches/0106-vlan-Refactor-vlan_create.patch
new file mode 100644
index 000000000..250739fda
--- /dev/null
+++ b/network/patches/0106-vlan-Refactor-vlan_create.patch
@@ -0,0 +1,146 @@ 
+From d3a0f73d7b2b6d4f634083f5620752e57a7a691b Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 3 Jun 2019 12:28:17 +0200
+Subject: [PATCH 106/304] vlan: Refactor vlan_create()
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.vlan | 81 +++++++++++++++++++++++-------------
+ src/hooks/ports/vlan         | 10 ++++-
+ 2 files changed, 60 insertions(+), 31 deletions(-)
+
+diff --git a/src/functions/functions.vlan b/src/functions/functions.vlan
+index d83e3ad..99a8baa 100644
+--- a/src/functions/functions.vlan
++++ b/src/functions/functions.vlan
+@@ -38,53 +38,76 @@ EOF
+ }
+ 
+ vlan_create() {
+-	local device=${1}
+-	assert isset device
++	local device="${1}"
++	shift
+ 
+-	local parent=${2}
+-	assert isset parent
++	assert isset device
+ 
+-	local tag=${3}
+-	assert isinteger tag
++	local address
++	local parent
++	local tag
++
++	# Parse command line arguments
++	while [ $# -gt 0 ]; do
++		case "${1}" in
++			--address=*)
++				address=$(cli_get_val "${1}")
++				;;
++			--parent=*)
++				parent=$(cli_get_val "${1}")
++				;;
++			--tag=*)
++				tag=$(cli_get_val "${1}")
++				;;
++			*)
++				error "Unrecognized argument: ${1}"
++				return ${EXIT_ERROR}
++				;;
++		esac
++		shift
++	done
++
++	# Generate a random MAC address if none was passed
++	if ! isset address; then
++		address="$(mac_generate)"
++	fi
+ 
+-	local address=${4}
+-	if isset address; then
+-		assert ismac address
++	# Check if address is valid
++	if ! ismac address; then
++		log ERROR "Invalid mac address: ${address}"
++		return ${EXIT_ERROR}
+ 	fi
+ 
+-	# Check if a device with the name does already exist.
+-	if device_exists ${device}; then
+-		log ERROR "device '${device}' does already exist"
++	# Check if a device with the name does already exist
++	if device_exists "${device}"; then
++		log ERROR "Device '${device}' already exists"
+ 		return ${EXIT_ERROR}
+ 	fi
+ 
+-	# Check if the parent device exists.
+-	if ! device_exists ${parent}; then
+-		log ERROR "parent device '${parent}' does not exist"
++	# Check if the parent device exists
++	if ! device_exists "${parent}"; then
++		log ERROR "Parent device '${parent}' does not exist"
+ 		return ${EXIT_ERROR}
+ 	fi
+ 
+ 	# Load ebtables stuff.
+ 	vlan_init
+ 
+-	local command="ip link add link ${parent} name ${device}"
++	# Make the command
++	local command=(
++		ip link add link "${parent}" name "${device}"
++			address "${address}" type vlan id "${tag}"
++	)
+ 
+-	if isset address; then
+-		command="${command} address ${address}"
++	# Run the command
++	if ! cmd_quiet "${command[*]}"; then
++		log ERROR "Could not create VLAN device ${device}: $?"
++		return ${EXIT_ERROR}
+ 	fi
+ 
+-	command="${command} type vlan id ${tag}"
+-
+-	cmd_quiet ${command}
+-	local ret=$?
+-
+-	if [ ${ret} -eq ${EXIT_OK} ]; then
+-		log DEBUG "vlan device '${device}' has been created"
+-	else
+-		log ERROR "could not create vlan device '${device}': ${ret}"
+-	fi
++	log DEBUG "Created VLAN device ${device} (parent = ${parent}, id = ${tag})"
+ 
+-	return ${ret}
++	return ${EXIT_OK}
+ }
+ 
+ vlan_remove() {
+diff --git a/src/hooks/ports/vlan b/src/hooks/ports/vlan
+index 98178e3..4715b1f 100644
+--- a/src/hooks/ports/vlan
++++ b/src/hooks/ports/vlan
+@@ -114,9 +114,15 @@ hook_create() {
+ 	fi
+ 
+ 	# Create the VLAN device
+-	vlan_create "${port}" "${PARENT_PORT}" "${TAG}" "${ADDRESS}"
++	if ! vlan_create "${port}" \
++			--address="${ADDRESS}" \
++			--parent="${PARENT_PORT}" \
++			--tag="${TAG}"; then
++		error "Could not create port: ${port}"
++		return ${EXIT_ERROR}
++	fi
+ 
+-	exit ${EXIT_OK}
++	return ${EXIT_OK}
+ }
+ 
+ hook_remove() {
+-- 
+2.39.2
+
diff --git a/network/patches/0107-vlan-Create-partent-port-if-necessary.patch b/network/patches/0107-vlan-Create-partent-port-if-necessary.patch
new file mode 100644
index 000000000..2201b68f2
--- /dev/null
+++ b/network/patches/0107-vlan-Create-partent-port-if-necessary.patch
@@ -0,0 +1,30 @@ 
+From 68cacd23226f401f1676e8bfc975467647cefef0 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 3 Jun 2019 12:29:57 +0200
+Subject: [PATCH 107/304] vlan: Create partent port (if necessary)
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/hooks/ports/vlan | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/hooks/ports/vlan b/src/hooks/ports/vlan
+index 4715b1f..384ad50 100644
+--- a/src/hooks/ports/vlan
++++ b/src/hooks/ports/vlan
+@@ -113,6 +113,12 @@ hook_create() {
+ 		return ${EXIT_ERROR}
+ 	fi
+ 
++	# Create the partent port first
++	if ! port_create "${PARENT_PORT}"; then
++		error "Could not bring up parent port: ${PARENT_PORT}"
++		return ${EXIT_ERROR}
++	fi
++
+ 	# Create the VLAN device
+ 	if ! vlan_create "${port}" \
+ 			--address="${ADDRESS}" \
+-- 
+2.39.2
+
diff --git a/network/patches/0108-vlan-Drop-ebtables-stuff.patch b/network/patches/0108-vlan-Drop-ebtables-stuff.patch
new file mode 100644
index 000000000..4945f7dd2
--- /dev/null
+++ b/network/patches/0108-vlan-Drop-ebtables-stuff.patch
@@ -0,0 +1,49 @@ 
+From 5338fb1423a84f9faeb597a2b67606fff1f6d6ab Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 3 Jun 2019 12:30:48 +0200
+Subject: [PATCH 108/304] vlan: Drop ebtables stuff
+
+We no longer have ebtables
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.vlan | 16 ----------------
+ 1 file changed, 16 deletions(-)
+
+diff --git a/src/functions/functions.vlan b/src/functions/functions.vlan
+index 99a8baa..c542bb5 100644
+--- a/src/functions/functions.vlan
++++ b/src/functions/functions.vlan
+@@ -24,19 +24,6 @@ PROC_NET_VLAN_CONFIG="${PROC_NET_VLAN}/config"
+ 
+ VLAN_PORT_INTERFIX="v"
+ 
+-vlan_init() {
+-	ebtables-restore <<EOF
+-*filter
+-:INPUT ACCEPT
+-:FORWARD ACCEPT
+-:OUTPUT ACCEPT
+-
+-*broute
+-:BROUTING ACCEPT
+--A BROUTING -p 802_1Q -j DROP
+-EOF
+-}
+-
+ vlan_create() {
+ 	local device="${1}"
+ 	shift
+@@ -90,9 +77,6 @@ vlan_create() {
+ 		return ${EXIT_ERROR}
+ 	fi
+ 
+-	# Load ebtables stuff.
+-	vlan_init
+-
+ 	# Make the command
+ 	local command=(
+ 		ip link add link "${parent}" name "${device}"
+-- 
+2.39.2
+
diff --git a/network/patches/0109-vlan-Rename-tag-to-id.patch b/network/patches/0109-vlan-Rename-tag-to-id.patch
new file mode 100644
index 000000000..69998bca2
--- /dev/null
+++ b/network/patches/0109-vlan-Rename-tag-to-id.patch
@@ -0,0 +1,159 @@ 
+From f24529e498b1c3fe60196c34356e5b005a22ae4c Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 3 Jun 2019 12:34:49 +0200
+Subject: [PATCH 109/304] vlan: Rename tag to id
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.vlan     | 12 ++++++------
+ src/hooks/ports/vlan             | 26 +++++++++++++-------------
+ test/nitsi/test/port-vlan/recipe |  2 +-
+ 3 files changed, 20 insertions(+), 20 deletions(-)
+
+diff --git a/src/functions/functions.vlan b/src/functions/functions.vlan
+index c542bb5..9a70c95 100644
+--- a/src/functions/functions.vlan
++++ b/src/functions/functions.vlan
+@@ -31,8 +31,8 @@ vlan_create() {
+ 	assert isset device
+ 
+ 	local address
++	local id
+ 	local parent
+-	local tag
+ 
+ 	# Parse command line arguments
+ 	while [ $# -gt 0 ]; do
+@@ -40,12 +40,12 @@ vlan_create() {
+ 			--address=*)
+ 				address=$(cli_get_val "${1}")
+ 				;;
++			--id=*)
++				id=$(cli_get_val "${1}")
++				;;
+ 			--parent=*)
+ 				parent=$(cli_get_val "${1}")
+ 				;;
+-			--tag=*)
+-				tag=$(cli_get_val "${1}")
+-				;;
+ 			*)
+ 				error "Unrecognized argument: ${1}"
+ 				return ${EXIT_ERROR}
+@@ -80,7 +80,7 @@ vlan_create() {
+ 	# Make the command
+ 	local command=(
+ 		ip link add link "${parent}" name "${device}"
+-			address "${address}" type vlan id "${tag}"
++			address "${address}" type vlan id "${id}"
+ 	)
+ 
+ 	# Run the command
+@@ -89,7 +89,7 @@ vlan_create() {
+ 		return ${EXIT_ERROR}
+ 	fi
+ 
+-	log DEBUG "Created VLAN device ${device} (parent = ${parent}, id = ${tag})"
++	log DEBUG "Created VLAN device ${device} (parent = ${parent}, id = ${id})"
+ 
+ 	return ${EXIT_OK}
+ }
+diff --git a/src/hooks/ports/vlan b/src/hooks/ports/vlan
+index 384ad50..97b6985 100644
+--- a/src/hooks/ports/vlan
++++ b/src/hooks/ports/vlan
+@@ -23,39 +23,39 @@
+ 
+ HOOK_SETTINGS=(
+ 	"ADDRESS"
++	"ID"
+ 	"PARENT_PORT"
+-	"TAG"
+ )
+ 
+ PORT_PARENTS_VAR="PARENT_PORT"
+ 
+ hook_check_settings() {
+ 	assert isset PARENT_PORT
+-	assert isinteger TAG
++	assert isinteger ID
+ 
+ 	if isset ADDRESS; then
+ 		assert ismac ADDRESS
+ 	fi
+ 
+-	if [ ${TAG} -gt 4096 ]; then
+-		error "TAG is greater than 4096."
++	if [ ${ID} -gt 4096 ]; then
++		error "ID is greater than 4096."
+ 		exit ${EXIT_ERROR}
+ 	fi
+ 
+ 	local reserved
+ 	for reserved in 0 4095; do
+-		if [ "${TAG}" = "${reserved}" ]; then
+-			error "TAG=${reserved} is reserved."
++		if [ "${ID}" = "${reserved}" ]; then
++			error "ID=${reserved} is reserved."
+ 			exit ${EXIT_ERROR}
+ 		fi
+ 	done
+ }
+ 
+ hook_find_port_name() {
++	assert isset ID
+ 	assert isset PARENT_PORT
+-	assert isset TAG
+ 
+-	print "${PARENT_PORT}${VLAN_PORT_INTERFIX}${TAG}"
++	print "${PARENT_PORT}${VLAN_PORT_INTERFIX}${ID}"
+ }
+ 
+ hook_parse_cmdline() {
+@@ -70,6 +70,9 @@ hook_parse_cmdline() {
+ 					return ${EXIT_CONF_ERROR}
+ 				fi
+ 				;;
++			--id=*)
++				ID=$(cli_get_val "${1}")
++				;;
+ 			--port=*)
+ 				PARENT_PORT=$(cli_get_val "${1}")
+ 
+@@ -79,9 +82,6 @@ hook_parse_cmdline() {
+ 					return ${EXIT_CONF_ERROR}
+ 				fi
+ 				;;
+-			--tag=*)
+-				TAG=$(cli_get_val "${1}")
+-				;;
+ 			*)
+ 				error "Unknown argument '${1}'"
+ 				return ${EXIT_CONF_ERROR}
+@@ -122,8 +122,8 @@ hook_create() {
+ 	# Create the VLAN device
+ 	if ! vlan_create "${port}" \
+ 			--address="${ADDRESS}" \
+-			--parent="${PARENT_PORT}" \
+-			--tag="${TAG}"; then
++			--id="${id}" \
++			--parent="${PARENT_PORT}"; then
+ 		error "Could not create port: ${port}"
+ 		return ${EXIT_ERROR}
+ 	fi
+diff --git a/test/nitsi/test/port-vlan/recipe b/test/nitsi/test/port-vlan/recipe
+index 7a99251..2341e19 100644
+--- a/test/nitsi/test/port-vlan/recipe
++++ b/test/nitsi/test/port-vlan/recipe
+@@ -17,7 +17,7 @@ bob: network zone upl0 config new static 192.168.100.102/24
+ all: network status
+ 
+ # Create a vlan device with parent port attached to net1
+-all: network port new vlan --port="${p_net1}" --tag=42
++all: network port new vlan --port="${p_net1}" --id=42
+ all: network zone upl0 port attach "${p_net1}v42"
+ 
+ # Test if the vlan works by pinging bob
+-- 
+2.39.2
+
diff --git a/network/patches/0110-vlan-Validate-ID.patch b/network/patches/0110-vlan-Validate-ID.patch
new file mode 100644
index 000000000..f4abee55f
--- /dev/null
+++ b/network/patches/0110-vlan-Validate-ID.patch
@@ -0,0 +1,110 @@ 
+From fc1e91cca425c8e929df76dad4488066070879dd Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 3 Jun 2019 12:41:36 +0200
+Subject: [PATCH 110/304] vlan: Validate ID
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.vlan | 25 ++++++++++++++++++++++++-
+ src/hooks/ports/vlan         | 26 +++++++++-----------------
+ 2 files changed, 33 insertions(+), 18 deletions(-)
+
+diff --git a/src/functions/functions.vlan b/src/functions/functions.vlan
+index 9a70c95..ee2fb34 100644
+--- a/src/functions/functions.vlan
++++ b/src/functions/functions.vlan
+@@ -24,6 +24,23 @@ PROC_NET_VLAN_CONFIG="${PROC_NET_VLAN}/config"
+ 
+ VLAN_PORT_INTERFIX="v"
+ 
++vlan_valid_id() {
++	local id="${1}"
++
++	# Must be an integer
++	if ! isinteger id; then
++		return ${EXIT_FALSE}
++	fi
++
++	# Must be between 1 and 4095
++	if [ ${id} -ge 1 ] && [ ${id} -le 4096 ]; then
++		return ${EXIT_TRUE}
++	fi
++
++	# Otherwise this is invalid
++	return ${EXIT_FALSE}
++}
++
+ vlan_create() {
+ 	local device="${1}"
+ 	shift
+@@ -31,7 +48,7 @@ vlan_create() {
+ 	assert isset device
+ 
+ 	local address
+-	local id
++	local id=1
+ 	local parent
+ 
+ 	# Parse command line arguments
+@@ -65,6 +82,12 @@ vlan_create() {
+ 		return ${EXIT_ERROR}
+ 	fi
+ 
++	# Check VLAN ID
++	if ! vlan_valid_id "${id}"; then
++		log ERROR "Invalid VLAN ID: ${id}"
++		return ${EXIT_ERROR}
++	fi
++
+ 	# Check if a device with the name does already exist
+ 	if device_exists "${device}"; then
+ 		log ERROR "Device '${device}' already exists"
+diff --git a/src/hooks/ports/vlan b/src/hooks/ports/vlan
+index 97b6985..7f99dbc 100644
+--- a/src/hooks/ports/vlan
++++ b/src/hooks/ports/vlan
+@@ -30,25 +30,11 @@ HOOK_SETTINGS=(
+ PORT_PARENTS_VAR="PARENT_PORT"
+ 
+ hook_check_settings() {
++	assert ismac ADDRESS
+ 	assert isset PARENT_PORT
+-	assert isinteger ID
+-
+-	if isset ADDRESS; then
+-		assert ismac ADDRESS
+-	fi
+-
+-	if [ ${ID} -gt 4096 ]; then
+-		error "ID is greater than 4096."
+-		exit ${EXIT_ERROR}
+-	fi
+ 
+-	local reserved
+-	for reserved in 0 4095; do
+-		if [ "${ID}" = "${reserved}" ]; then
+-			error "ID=${reserved} is reserved."
+-			exit ${EXIT_ERROR}
+-		fi
+-	done
++	assert isinteger ID
++	assert vlan_valid_id "${ID}"
+ }
+ 
+ hook_find_port_name() {
+@@ -72,6 +58,12 @@ hook_parse_cmdline() {
+ 				;;
+ 			--id=*)
+ 				ID=$(cli_get_val "${1}")
++
++				# Validate VLAN ID
++				if ! vlan_valid_id "${ID}"; then
++					error "Invalid VLAN ID: ${ID}"
++					return ${EXIT_CONF_ERROR}
++				fi
+ 				;;
+ 			--port=*)
+ 				PARENT_PORT=$(cli_get_val "${1}")
+-- 
+2.39.2
+
diff --git a/network/patches/0111-util-Add-abort-which-will-stop-the-program-immediate.patch b/network/patches/0111-util-Add-abort-which-will-stop-the-program-immediate.patch
new file mode 100644
index 000000000..f14d8610a
--- /dev/null
+++ b/network/patches/0111-util-Add-abort-which-will-stop-the-program-immediate.patch
@@ -0,0 +1,48 @@ 
+From 9532462fe04658d728ecbf263b586111f73fe2b2 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 3 Jun 2019 13:16:47 +0200
+Subject: [PATCH 111/304] util: Add abort() which will stop the program
+ immediately
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.util | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/src/functions/functions.util b/src/functions/functions.util
+index 7379a98..39ad861 100644
+--- a/src/functions/functions.util
++++ b/src/functions/functions.util
+@@ -469,14 +469,27 @@ assert() {
+ 	local assertion="$@"
+ 
+ 	if ! ${assertion}; then
+-		error_log "Assertion '${assertion}' failed."
+ 		backtrace
+-		exit ${EXIT_ERROR_ASSERT}
++
++		# End the program here
++		abort "Assertion failed: ${assertion}"
+ 	fi
+ 
+ 	return ${EXIT_OK}
+ }
+ 
++# Ends the program immediately without cleaning up
++abort() {
++	local msg="$@"
++
++	# Print message
++	if isset msg; then
++		log ERROR "${msg}"
++	fi
++
++	exit ${EXIT_ERROR_ASSERT}
++}
++
+ # This function checks, if the given argument is an assert error
+ # exit code. If this is the case, the script will halt immediately.
+ assert_check_retval() {
+-- 
+2.39.2
+
diff --git a/network/patches/0112-vlan-Add-support-for-802.1ad-QinQ.patch b/network/patches/0112-vlan-Add-support-for-802.1ad-QinQ.patch
new file mode 100644
index 000000000..62f77efca
--- /dev/null
+++ b/network/patches/0112-vlan-Add-support-for-802.1ad-QinQ.patch
@@ -0,0 +1,139 @@ 
+From 2eb7011cb5447f9568c8136940f59a047e1b8dae Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 3 Jun 2019 13:17:06 +0200
+Subject: [PATCH 112/304] vlan: Add support for 802.1ad (QinQ)
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.vlan | 24 +++++++++++++++++++++++-
+ src/hooks/ports/vlan         | 22 ++++++++++++++++++++--
+ 2 files changed, 43 insertions(+), 3 deletions(-)
+
+diff --git a/src/functions/functions.vlan b/src/functions/functions.vlan
+index ee2fb34..fbaa34f 100644
+--- a/src/functions/functions.vlan
++++ b/src/functions/functions.vlan
+@@ -22,6 +22,11 @@
+ PROC_NET_VLAN="/proc/net/vlan"
+ PROC_NET_VLAN_CONFIG="${PROC_NET_VLAN}/config"
+ 
++VLAN_SUPPORTED_PROTOCOLS=(
++	"802.1Q"	# default
++	"802.1ad"
++)
++
+ VLAN_PORT_INTERFIX="v"
+ 
+ vlan_valid_id() {
+@@ -41,6 +46,13 @@ vlan_valid_id() {
+ 	return ${EXIT_FALSE}
+ }
+ 
++vlan_supported_protocol() {
++	local proto="${1}"
++	assert isset proto
++
++	list_match "${proto}" "${VLAN_SUPPORTED_PROTOCOLS[@]}"
++}
++
+ vlan_create() {
+ 	local device="${1}"
+ 	shift
+@@ -50,6 +62,7 @@ vlan_create() {
+ 	local address
+ 	local id=1
+ 	local parent
++	local protocol="${VLAN_SUPPORTED_PROTOCOLS[0]}"
+ 
+ 	# Parse command line arguments
+ 	while [ $# -gt 0 ]; do
+@@ -63,6 +76,9 @@ vlan_create() {
+ 			--parent=*)
+ 				parent=$(cli_get_val "${1}")
+ 				;;
++			--protocol=*)
++				protocol=$(cli_get_val "${1}")
++				;;
+ 			*)
+ 				error "Unrecognized argument: ${1}"
+ 				return ${EXIT_ERROR}
+@@ -82,6 +98,12 @@ vlan_create() {
+ 		return ${EXIT_ERROR}
+ 	fi
+ 
++	# Check protocol
++	if ! vlan_supported_protocol "${protocol}"; then
++		log ERROR "Invalid protocol: ${protocol}"
++		return ${EXIT_ERROR}
++	fi
++
+ 	# Check VLAN ID
+ 	if ! vlan_valid_id "${id}"; then
+ 		log ERROR "Invalid VLAN ID: ${id}"
+@@ -103,7 +125,7 @@ vlan_create() {
+ 	# Make the command
+ 	local command=(
+ 		ip link add link "${parent}" name "${device}"
+-			address "${address}" type vlan id "${id}"
++			address "${address}" type vlan proto "${protocol}" id "${id}"
+ 	)
+ 
+ 	# Run the command
+diff --git a/src/hooks/ports/vlan b/src/hooks/ports/vlan
+index 7f99dbc..af563ee 100644
+--- a/src/hooks/ports/vlan
++++ b/src/hooks/ports/vlan
+@@ -25,14 +25,21 @@ HOOK_SETTINGS=(
+ 	"ADDRESS"
+ 	"ID"
+ 	"PARENT_PORT"
++	"PROTOCOL"
+ )
+ 
++# Set the default to 802.1Q
++DEFAULT_PROTOCOL="${VLAN_SUPPORTED_PROTOCOLS[0]}"
++
+ PORT_PARENTS_VAR="PARENT_PORT"
+ 
+ hook_check_settings() {
+ 	assert ismac ADDRESS
+ 	assert isset PARENT_PORT
+ 
++	assert isset PROTOCOL
++	assert vlan_supported_protocol "${PROTOCOL}"
++
+ 	assert isinteger ID
+ 	assert vlan_valid_id "${ID}"
+ }
+@@ -74,6 +81,16 @@ hook_parse_cmdline() {
+ 					return ${EXIT_CONF_ERROR}
+ 				fi
+ 				;;
++			--protocol=*)
++				PROTOCOL="$(cli_get_val "${1}")"
++
++				# Check if PROTOCOL is supported
++				if ! vlan_supported_protocol "${PROTOCOL}"; then
++					error "Protocol '${PROTOCOL}' is not supported"
++					error "Choose one of ${VLAN_SUPPORTED_PROTOCOLS[*]}"
++					return ${EXIT_CONF_ERROR}
++				fi
++				;;
+ 			*)
+ 				error "Unknown argument '${1}'"
+ 				return ${EXIT_CONF_ERROR}
+@@ -114,8 +131,9 @@ hook_create() {
+ 	# Create the VLAN device
+ 	if ! vlan_create "${port}" \
+ 			--address="${ADDRESS}" \
+-			--id="${id}" \
+-			--parent="${PARENT_PORT}"; then
++			--id="${ID}" \
++			--parent="${PARENT_PORT}" \
++			--protocol="${PROTOCOL}"; then
+ 		error "Could not create port: ${port}"
+ 		return ${EXIT_ERROR}
+ 	fi
+-- 
+2.39.2
+
diff --git a/network/patches/0113-Do-not-try-to-start-Bird-during-boot-process.patch b/network/patches/0113-Do-not-try-to-start-Bird-during-boot-process.patch
new file mode 100644
index 000000000..7e25e5d9f
--- /dev/null
+++ b/network/patches/0113-Do-not-try-to-start-Bird-during-boot-process.patch
@@ -0,0 +1,57 @@ 
+From ecc7067479d165f4178f04248d86898cf50e3d95 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Thu, 20 Jun 2019 23:09:01 +0200
+Subject: [PATCH 113/304] Do not try to start Bird during boot process
+
+We should not do this in the network script and let just
+systemd take care of this. Otherwise we would end up in
+an infinite loop during the boot process.
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.bird | 14 --------------
+ src/network                  |  3 ---
+ 2 files changed, 17 deletions(-)
+
+diff --git a/src/functions/functions.bird b/src/functions/functions.bird
+index 1bbac8c..55d43b5 100644
+--- a/src/functions/functions.bird
++++ b/src/functions/functions.bird
+@@ -33,20 +33,6 @@ bird_reload() {
+ 	service_reload "bird.service"
+ }
+ 
+-bird_enable() {
+-	# Generate configuration file
+-	if ! bird_generate_config; then
+-		log ERROR "Could not write Bird configuration"
+-		return ${EXIT_ERROR}
+-	fi
+-
+-	# Enable the service to be automatically started next time
+-	service_enable "bird.service"
+-
+-	# Start it now
+-	bird_start
+-}
+-
+ # Update configuration any apply it in one go
+ bird_update() {
+ 	if ! bird_generate_config; then
+diff --git a/src/network b/src/network
+index be06d8a..30f87a0 100644
+--- a/src/network
++++ b/src/network
+@@ -1381,9 +1381,6 @@ case "${action}" in
+ 		# Update resolv.conf(5) when initializing the network
+ 		dns_generate_resolvconf
+ 
+-		# Make sure bird is running
+-		bird_enable
+-
+ 		# Also execute all triggers
+ 		triggers_execute_all "init"
+ 		;;
+-- 
+2.39.2
+
diff --git a/network/patches/0114-configure-Break-when-asciidoc-cannot-be-found.patch b/network/patches/0114-configure-Break-when-asciidoc-cannot-be-found.patch
new file mode 100644
index 000000000..1fc0c289d
--- /dev/null
+++ b/network/patches/0114-configure-Break-when-asciidoc-cannot-be-found.patch
@@ -0,0 +1,27 @@ 
+From 9665b7963d263fd83ac132a84a3809fc6a03287a Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Fri, 21 Jun 2019 06:30:44 +0100
+Subject: [PATCH 114/304] configure: Break when asciidoc cannot be found
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ configure.ac | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index 117850f..340cfd6 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -144,6 +144,9 @@ PKG_CHECK_MODULES([LIBNL], [libnl-3.0 libnl-genl-3.0])
+ # ------------------------------------------------------------------------------
+ 
+ AC_CHECK_PROGS(ASCIIDOC, [asciidoc])
++if test -z "${ASCIIDOC}"; then
++	AC_MSG_ERROR([Required program 'asciidoc' not found])
++fi
+ 
+ # ------------------------------------------------------------------------------
+ 
+-- 
+2.39.2
+
diff --git a/network/patches/0115-Fix-creating-new-configs.patch b/network/patches/0115-Fix-creating-new-configs.patch
new file mode 100644
index 000000000..6f1c964e4
--- /dev/null
+++ b/network/patches/0115-Fix-creating-new-configs.patch
@@ -0,0 +1,29 @@ 
+From f1081966991d55ccd182b45f58fc0fde31437f77 Mon Sep 17 00:00:00 2001
+From: Stefan Schantl <stefan.schantl@ipfire.org>
+Date: Sat, 22 Jun 2019 09:52:37 +0000
+Subject: [PATCH 115/304] Fix creating new configs
+
+The id argument was missing for the zone_config_settings_write.
+
+Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/header-config | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/header-config b/src/header-config
+index c6a775c..ed647cd 100644
+--- a/src/header-config
++++ b/src/header-config
+@@ -45,7 +45,7 @@ hook_new() {
+ 	fi
+ 
+ 	# Write configuration to disk
+-	if ! zone_config_settings_write "${zone}" "${HOOK}"; then
++	if ! zone_config_settings_write "${zone}" "${HOOK}" "${id}"; then
+ 		return ${EXIT_ERROR}
+ 	fi
+ 
+-- 
+2.39.2
+
diff --git a/network/patches/0116-inetcalc-Fix-compiler-warnings.patch b/network/patches/0116-inetcalc-Fix-compiler-warnings.patch
new file mode 100644
index 000000000..9b6dca279
--- /dev/null
+++ b/network/patches/0116-inetcalc-Fix-compiler-warnings.patch
@@ -0,0 +1,30 @@ 
+From d07532fad069c51d188ba7b93539488499d5dbf9 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sat, 22 Jun 2019 13:31:03 +0000
+Subject: [PATCH 116/304] inetcalc: Fix compiler warnings
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/inetcalc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/inetcalc.c b/src/inetcalc.c
+index 1841c84..7c072e9 100644
+--- a/src/inetcalc.c
++++ b/src/inetcalc.c
+@@ -134,9 +134,9 @@ static int default_prefix(const int family) {
+ static int ip_address_parse_simple(ip_address_t* ip, const int family, const char* address) {
+ 	assert(family == AF_INET || family == AF_INET6);
+ 
+-	size_t address_length = strlen(address);
+-	char buffer[address_length + 1];
+-	strncpy(buffer, address, sizeof(buffer));
++	// Copy input to stack
++	char buffer[512];
++	strncpy(buffer, address, sizeof(buffer) - 1);
+ 
+ 	// Search for a prefix or subnet mask
+ 	char* prefix = strchr(buffer, '/');
+-- 
+2.39.2
+
diff --git a/network/patches/0117-firewall-Drop-separate-scripts-for-IPv6-and-IPv4.patch b/network/patches/0117-firewall-Drop-separate-scripts-for-IPv6-and-IPv4.patch
new file mode 100644
index 000000000..bb9f90e7a
--- /dev/null
+++ b/network/patches/0117-firewall-Drop-separate-scripts-for-IPv6-and-IPv4.patch
@@ -0,0 +1,70 @@ 
+From 0c5d22de5c22c9264dcb839df72440a1d11faa0c Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Fri, 21 Jun 2019 06:34:23 +0100
+Subject: [PATCH 117/304] firewall: Drop separate scripts for IPv6 and IPv4
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ Makefile.am                 |  3 +--
+ src/{firewall6 => firewall} |  0
+ src/firewall4               | 29 -----------------------------
+ 3 files changed, 1 insertion(+), 31 deletions(-)
+ rename src/{firewall6 => firewall} (100%)
+ delete mode 100644 src/firewall4
+
+diff --git a/Makefile.am b/Makefile.am
+index 4c26a9d..a36a4ab 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -115,8 +115,7 @@ dist_doc_DATA = \
+ dist_sbin_SCRIPTS = \
+ 	src/dhclient-script \
+ 	src/firewall-config \
+-	src/firewall4 \
+-	src/firewall6 \
++	src/firewall \
+ 	src/network
+ 
+ network_DATA = \
+diff --git a/src/firewall6 b/src/firewall
+similarity index 100%
+rename from src/firewall6
+rename to src/firewall
+diff --git a/src/firewall4 b/src/firewall4
+deleted file mode 100644
+index 55eed2c..0000000
+--- a/src/firewall4
++++ /dev/null
+@@ -1,29 +0,0 @@
+-#!/bin/bash
+-###############################################################################
+-#                                                                             #
+-# IPFire.org - A linux based firewall                                         #
+-# Copyright (C) 2012  IPFire Network Development Team                         #
+-#                                                                             #
+-# This program is free software: you can redistribute it and/or modify        #
+-# it under the terms of the GNU General Public License as published by        #
+-# the Free Software Foundation, either version 3 of the License, or           #
+-# (at your option) any later version.                                         #
+-#                                                                             #
+-# This program is distributed in the hope that it will be useful,             #
+-# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+-# GNU General Public License for more details.                                #
+-#                                                                             #
+-# You should have received a copy of the GNU General Public License           #
+-# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+-#                                                                             #
+-###############################################################################
+-
+-. /usr/lib/network/functions
+-
+-# Read firewall settings
+-firewall_settings_read
+-
+-firewall_cli "ipv4" "$@"
+-
+-exit ${EXIT_ERROR}
+-- 
+2.39.2
+
diff --git a/network/patches/0118-systemd-Remove-double-firewall-scripts.patch b/network/patches/0118-systemd-Remove-double-firewall-scripts.patch
new file mode 100644
index 000000000..d9090af5f
--- /dev/null
+++ b/network/patches/0118-systemd-Remove-double-firewall-scripts.patch
@@ -0,0 +1,76 @@ 
+From 67131768c979c66ad3717e46cb81a068b14eafee Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sat, 22 Jun 2019 13:43:04 +0000
+Subject: [PATCH 118/304] systemd: Remove double firewall scripts
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ Makefile.am                                        |  3 +--
+ .../{firewall4.service.in => firewall.service}     |  6 +++---
+ src/systemd/firewall6.service.in                   | 14 --------------
+ 3 files changed, 4 insertions(+), 19 deletions(-)
+ rename src/systemd/{firewall4.service.in => firewall.service} (62%)
+ delete mode 100644 src/systemd/firewall6.service.in
+
+diff --git a/Makefile.am b/Makefile.am
+index a36a4ab..81cf50d 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -363,8 +363,7 @@ UNINSTALL_EXEC_HOOKS += ppp-uninstall-hook
+ 
+ if HAVE_SYSTEMD
+ systemdsystemunit_DATA = \
+-	src/systemd/firewall4.service \
+-	src/systemd/firewall6.service \
++	src/systemd/firewall.service \
+ 	src/systemd/firewall-init.service \
+ 	src/systemd/network-init.service \
+ 	src/systemd/network@.service
+diff --git a/src/systemd/firewall4.service.in b/src/systemd/firewall.service
+similarity index 62%
+rename from src/systemd/firewall4.service.in
+rename to src/systemd/firewall.service
+index 568f5e7..34797e5 100644
+--- a/src/systemd/firewall4.service.in
++++ b/src/systemd/firewall.service
+@@ -1,5 +1,5 @@
+ [Unit]
+-Description=Firewall for IPv4
++Description=Firewall for IPFire
+ After=firewall-init.service
+ Before=network.target
+ Requires=firewall-init.service
+@@ -7,8 +7,8 @@ Requires=firewall-init.service
+ [Service]
+ Type=oneshot
+ RemainAfterExit=yes
+-ExecStart=@sbindir@/firewall4 start
+-ExecStop=@sbindir@/firewall4 stop
++ExecStart=@sbindir@/firewall start
++ExecStop=@sbindir@/firewall stop
+ 
+ [Install]
+ WantedBy=multi-user.target
+diff --git a/src/systemd/firewall6.service.in b/src/systemd/firewall6.service.in
+deleted file mode 100644
+index 873bfe6..0000000
+--- a/src/systemd/firewall6.service.in
++++ /dev/null
+@@ -1,14 +0,0 @@
+-[Unit]
+-Description=Firewall for IPv6
+-After=firewall-init.service
+-Before=network.target
+-Requires=firewall-init.service
+-
+-[Service]
+-Type=oneshot
+-RemainAfterExit=yes
+-ExecStart=@sbindir@/firewall6 start
+-ExecStop=@sbindir@/firewall6 stop
+-
+-[Install]
+-WantedBy=multi-user.target
+-- 
+2.39.2
+
diff --git a/network/patches/0119-firewall-Add-init-action-to-main-script.patch b/network/patches/0119-firewall-Add-init-action-to-main-script.patch
new file mode 100644
index 000000000..82a8ae26e
--- /dev/null
+++ b/network/patches/0119-firewall-Add-init-action-to-main-script.patch
@@ -0,0 +1,54 @@ 
+From 3e446cf0bff8c1dc409479bf02b0fc8912847c13 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sat, 22 Jun 2019 13:50:00 +0000
+Subject: [PATCH 119/304] firewall: Add init action to main script
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/firewall | 26 +++++++++++++++++++++++++-
+ 1 file changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/src/firewall b/src/firewall
+index db7284c..c47ac61 100644
+--- a/src/firewall
++++ b/src/firewall
+@@ -19,11 +19,35 @@
+ #                                                                             #
+ ###############################################################################
+ 
++# Parse the command line
++while [ $# -gt 0 ]; do
++	case "${1}" in
++		-d|--debug)
++			DEBUG=1
++			;;
++		*)
++			action=${1}
++			;;
++	esac
++	shift
++	[ -n "${action}" ] && break
++done
++
+ . /usr/lib/network/functions
+ 
+ # Read firewall settings
+ firewall_settings_read
+ 
+-firewall_cli "ipv6" "$@"
++case "${action}" in
++	# Initialise kernel with firewall settings
++	init)
++		firewall_kernel_init
++		exit $?
++		;;
++
++	*)
++		firewall_cli "ipv6" "${action}" "$@"
++		;;
++esac
+ 
+ exit ${EXIT_ERROR}
+-- 
+2.39.2
+
diff --git a/network/patches/0120-firewall-Drop-initialisation-helper-script.patch b/network/patches/0120-firewall-Drop-initialisation-helper-script.patch
new file mode 100644
index 000000000..f77ad79db
--- /dev/null
+++ b/network/patches/0120-firewall-Drop-initialisation-helper-script.patch
@@ -0,0 +1,79 @@ 
+From 19b14da45fb83638878b14e77303194733679bc1 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sat, 22 Jun 2019 13:52:09 +0000
+Subject: [PATCH 120/304] firewall: Drop initialisation helper script
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ Makefile.am                          |  1 -
+ src/helpers/firewall-kernel-init     | 30 ----------------------------
+ src/systemd/firewall-init.service.in |  4 ++--
+ 3 files changed, 2 insertions(+), 33 deletions(-)
+ delete mode 100644 src/helpers/firewall-kernel-init
+
+diff --git a/Makefile.am b/Makefile.am
+index 81cf50d..0974ba8 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -206,7 +206,6 @@ dist_network_SCRIPTS = \
+ 
+ dist_helpers_SCRIPTS = \
+ 	src/helpers/dhcpd-config-helper \
+-	src/helpers/firewall-kernel-init \
+ 	src/helpers/hostapd-config-helper \
+ 	src/helpers/ipsec-updown \
+ 	src/helpers/pppd-angel \
+diff --git a/src/helpers/firewall-kernel-init b/src/helpers/firewall-kernel-init
+deleted file mode 100644
+index aea82c4..0000000
+--- a/src/helpers/firewall-kernel-init
++++ /dev/null
+@@ -1,30 +0,0 @@
+-#!/bin/bash
+-###############################################################################
+-#                                                                             #
+-# IPFire.org - A linux based firewall                                         #
+-# Copyright (C) 2012  IPFire Network Development Team                         #
+-#                                                                             #
+-# This program is free software: you can redistribute it and/or modify        #
+-# it under the terms of the GNU General Public License as published by        #
+-# the Free Software Foundation, either version 3 of the License, or           #
+-# (at your option) any later version.                                         #
+-#                                                                             #
+-# This program is distributed in the hope that it will be useful,             #
+-# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+-# GNU General Public License for more details.                                #
+-#                                                                             #
+-# You should have received a copy of the GNU General Public License           #
+-# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+-#                                                                             #
+-###############################################################################
+-
+-. /usr/lib/network/functions
+-
+-# Read firewall settings
+-firewall_setttings_read
+-
+-# Initialize kernel parameters for the firewall.
+-firewall_kernel_init
+-
+-exit ${EXIT_OK}
+diff --git a/src/systemd/firewall-init.service.in b/src/systemd/firewall-init.service.in
+index 24497e9..91dd058 100644
+--- a/src/systemd/firewall-init.service.in
++++ b/src/systemd/firewall-init.service.in
+@@ -1,8 +1,8 @@
+ [Unit]
+-Description=Initialize kernel parameters for the firewalls
++Description=Initialize kernel parameters for the firewall
+ Before=network.target
+ 
+ [Service]
+ Type=oneshot
+ RemainAfterExit=yes
+-ExecStart=@helpersdir@/firewall-kernel-init
++ExecStart=@sbindir@/firewall init
+-- 
+2.39.2
+
diff --git a/network/patches/0121-Revert-firewall-Disable-PMTU-by-default.patch b/network/patches/0121-Revert-firewall-Disable-PMTU-by-default.patch
new file mode 100644
index 000000000..01c70c7be
--- /dev/null
+++ b/network/patches/0121-Revert-firewall-Disable-PMTU-by-default.patch
@@ -0,0 +1,28 @@ 
+From 70c56486267789a3767e22833548694a9b69e1b8 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sat, 22 Jun 2019 13:55:00 +0000
+Subject: [PATCH 121/304] Revert "firewall: Disable PMTU by default"
+
+This reverts commit b3a66a5c00bc4e39ce0db34e2ac96c4911b4e31a.
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.constants-firewall | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/functions/functions.constants-firewall b/src/functions/functions.constants-firewall
+index 4f7f503..d42189a 100644
+--- a/src/functions/functions.constants-firewall
++++ b/src/functions/functions.constants-firewall
+@@ -78,7 +78,7 @@ FIREWALL_USE_ECN="true"
+ FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_USE_ECN"
+ 
+ # Path MTU discovery
+-FIREWALL_PMTU_DISCOVERY="false"
++FIREWALL_PMTU_DISCOVERY="true"
+ FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_PMTU_DISCOVERY"
+ 
+ # Default TTL
+-- 
+2.39.2
+
diff --git a/network/patches/0122-firewall-Fix-reading-writing-settings.patch b/network/patches/0122-firewall-Fix-reading-writing-settings.patch
new file mode 100644
index 000000000..d0cd4b263
--- /dev/null
+++ b/network/patches/0122-firewall-Fix-reading-writing-settings.patch
@@ -0,0 +1,147 @@ 
+From c69adafd8ad8abf4f14b6fe110bbd8efb5eca596 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sat, 22 Jun 2019 14:11:15 +0000
+Subject: [PATCH 122/304] firewall: Fix reading/writing settings
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.constants-firewall | 40 ++++++++++++----------
+ src/functions/functions.settings           |  6 ++--
+ 2 files changed, 25 insertions(+), 21 deletions(-)
+
+diff --git a/src/functions/functions.constants-firewall b/src/functions/functions.constants-firewall
+index d42189a..2ca9390 100644
+--- a/src/functions/functions.constants-firewall
++++ b/src/functions/functions.constants-firewall
+@@ -19,6 +19,10 @@
+ #                                                                             #
+ ###############################################################################
+ 
++# Firewall file configuration
++FIREWALL_SETTINGS_DIR="/etc/firewall"
++FIREWALL_SETTINGS_FILE="${FIREWALL_SETTINGS_DIR}/settings"
++
+ # This variable is used to point to a directory
+ # in which the iptables ruleset will be generated.
+ IPTABLES_TMPDIR=
+@@ -32,78 +36,78 @@ FIREWALL_MACROS_DIRS="${FIREWALL_CONFIG_DIR}/macros"
+ FIREWALL_MACROS_DIRS="${FIREWALL_MACROS_DIRS} /usr/share/firewall/macros"
+ 
+ # List of parameters which are saved in the configuration file.
+-FIREWALL_CONFIG_PARAMS=""
++FIREWALL_SETTINGS=( "DEBUG" )
+ 
+ # Valid arguments in the rules file.
+ FIREWALL_RULES_CONFIG_PARAMS="src dst proto action sport dport in out"
+ 
+ # Define the default logging method (nflog or syslog).
+ FIREWALL_LOG_METHOD="nflog"
+-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_METHOD"
++FIREWALL_SETTINGS+=( "FIREWALL_LOG_METHOD" )
+ 
+ # Set the default threshold for the nflog method.
+ FIREWALL_NFLOG_THRESHOLD=30
+-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_NFLOG_THRESHOLD"
++FIREWALL_SETTINGS+=( "FIREWALL_NFLOG_THRESHOLD" )
+ 
+ # Enable clamping MSS for braindead ISPs which filter ICMP packets.
+ FIREWALL_CLAMP_PATH_MTU="false"
+-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_CLAMP_PATH_MTU"
++FIREWALL_SETTINGS+=( "FIREWALL_CLAMP_PATH_MTU" )
+ 
+ # Conntrack: Max. amount of simultaneous connections.
+ CONNTRACK_MAX_CONNECTIONS="16384"
+-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} CONNTRACK_MAX_CONNECTIONS"
++FIREWALL_SETTINGS+=( "CONNTRACK_MAX_CONNECTIONS" )
+ 
+ # Conntrack: UDP timeout
+ CONNTRACK_UDP_TIMEOUT="60"
+-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} CONNTRACK_UDP_TIMEOUT"
++FIREWALL_SETTINGS+=( "CONNTRACK_UDP_TIMEOUT" )
+ 
+ # Use SYN cookies or not
+ FIREWALL_SYN_COOKIES="true"
+-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_SYN_COOKIES"
++FIREWALL_SETTINGS+=( "FIREWALL_SYN_COOKIES" )
+ 
+ # rp_filter
+ FIREWALL_RP_FILTER="true"
+-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_RP_FILTER"
++FIREWALL_SETTINGS+=( "FIREWALL_RP_FILTER" )
+ 
+ # Log martians
+ FIREWALL_LOG_MARTIANS="false"
+-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_MARTIANS"
++FIREWALL_SETTINGS+=( "FIREWALL_LOG_MARTIANS" )
+ 
+ # Accept ICMP redirects
+ FIREWALL_ACCEPT_ICMP_REDIRECTS="false"
+-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_ACCEPT_ICMP_REDIRECTS"
++FIREWALL_SETTINGS+=( "FIREWALL_ACCEPT_ICMP_REDIRECTS" )
+ 
+ # ECN (Explicit Congestion Notification)
+ FIREWALL_USE_ECN="true"
+-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_USE_ECN"
++FIREWALL_SETTINGS+=( "FIREWALL_USE_ECN" )
+ 
+ # Path MTU discovery
+ FIREWALL_PMTU_DISCOVERY="true"
+-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_PMTU_DISCOVERY"
++FIREWALL_SETTINGS+=( "FIREWALL_PMTU_DISCOVERY" )
+ 
+ # Default TTL
+ FIREWALL_DEFAULT_TTL="64"
+-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_DEFAULT_TTL"
++FIREWALL_SETTINGS+=( "FIREWALL_DEFAULT_TTL" )
+ 
+ # Log stealth scans
+ FIREWALL_LOG_STEALTH_SCANS="true"
+-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_STEALTH_SCANS"
++FIREWALL_SETTINGS+=( "FIREWALL_LOG_STEALTH_SCANS" )
+ 
+ # Log packets with bad TCP flags
+ FIREWALL_LOG_BAD_TCP_FLAGS="true"
+-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_BAD_TCP_FLAGS"
++FIREWALL_SETTINGS+=( "FIREWALL_LOG_BAD_TCP_FLAGS" )
+ 
+ # Log INVALID TCP packets
+ FIREWALL_LOG_INVALID_TCP="true"
+-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_INVALID_TCP"
++FIREWALL_SETTINGS+=( "FIREWALL_LOG_INVALID_TCP" )
+ 
+ # Log INVALID UDP packets
+ FIREWALL_LOG_INVALID_UDP="true"
+-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_INVALID_UDP"
++FIREWALL_SETTINGS+=( "FIREWALL_LOG_INVALID_UDP" )
+ 
+ # Log INVALID ICMP packets
+ FIREWALL_LOG_INVALID_ICMP="true"
+-FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_INVALID_ICMP"
++FIREWALL_SETTINGS+=( "FIREWALL_LOG_INVALID_ICMP" )
+ 
+ FIREWALL_SUPPORTED_PROTOCOLS="tcp udp icmp igmp esp ah gre"
+ FIREWALL_PROTOCOLS_SUPPORTING_PORTS="tcp udp"
+diff --git a/src/functions/functions.settings b/src/functions/functions.settings
+index 69f4c23..5728e72 100644
+--- a/src/functions/functions.settings
++++ b/src/functions/functions.settings
+@@ -297,13 +297,13 @@ network_settings_list() {
+ }
+ 
+ firewall_settings_read() {
+-	settings_read "${FIREWALL_SETTINGS_FILE}" "${FIREWALL_SETTINGS_PARAMS}"
++	settings_read "${FIREWALL_SETTINGS_FILE}" "${FIREWALL_SETTINGS[*]}"
+ }
+ 
+ firewall_settings_write() {
+-	settings_write "${FIREWALL_SETTINGS_FILE}" "${FIREWALL_SETTINGS_PARAMS}"
++	settings_write "${FIREWALL_SETTINGS_FILE}" "${FIREWALL_SETTINGS[*]}"
+ }
+ 
+ firewall_settings_print() {
+-	settings_print "${FIREWALL_SETTINGS_PARAMS}"
++	settings_print "${FIREWALL_SETTINGS[*]}"
+ }
+-- 
+2.39.2
+
diff --git a/network/patches/0123-firewall-Drop-firewall-config-command-in-favour-of-f.patch b/network/patches/0123-firewall-Drop-firewall-config-command-in-favour-of-f.patch
new file mode 100644
index 000000000..8f26fe8ec
--- /dev/null
+++ b/network/patches/0123-firewall-Drop-firewall-config-command-in-favour-of-f.patch
@@ -0,0 +1,80 @@ 
+From 12c8f41a0791a517d5cc7cd30bd566896891f092 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sat, 22 Jun 2019 14:16:07 +0000
+Subject: [PATCH 123/304] firewall: Drop firewall-config command in favour of
+ "firewall settings"
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ Makefile.am         |  1 -
+ src/firewall        |  5 +++++
+ src/firewall-config | 29 -----------------------------
+ 3 files changed, 5 insertions(+), 30 deletions(-)
+ delete mode 100644 src/firewall-config
+
+diff --git a/Makefile.am b/Makefile.am
+index 0974ba8..4fe5068 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -114,7 +114,6 @@ dist_doc_DATA = \
+ 
+ dist_sbin_SCRIPTS = \
+ 	src/dhclient-script \
+-	src/firewall-config \
+ 	src/firewall \
+ 	src/network
+ 
+diff --git a/src/firewall b/src/firewall
+index c47ac61..569f413 100644
+--- a/src/firewall
++++ b/src/firewall
+@@ -45,6 +45,11 @@ case "${action}" in
+ 		exit $?
+ 		;;
+ 
++	settings)
++		firewall_cli_settings "$@"
++		exit $?
++		;;
++
+ 	*)
+ 		firewall_cli "ipv6" "${action}" "$@"
+ 		;;
+diff --git a/src/firewall-config b/src/firewall-config
+deleted file mode 100644
+index 53ec175..0000000
+--- a/src/firewall-config
++++ /dev/null
+@@ -1,29 +0,0 @@
+-#!/bin/bash
+-###############################################################################
+-#                                                                             #
+-# IPFire.org - A linux based firewall                                         #
+-# Copyright (C) 2012  IPFire Network Development Team                         #
+-#                                                                             #
+-# This program is free software: you can redistribute it and/or modify        #
+-# it under the terms of the GNU General Public License as published by        #
+-# the Free Software Foundation, either version 3 of the License, or           #
+-# (at your option) any later version.                                         #
+-#                                                                             #
+-# This program is distributed in the hope that it will be useful,             #
+-# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+-# GNU General Public License for more details.                                #
+-#                                                                             #
+-# You should have received a copy of the GNU General Public License           #
+-# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+-#                                                                             #
+-###############################################################################
+-
+-. /usr/lib/network/functions
+-
+-# Read firewall settings
+-firewall_settings_read
+-
+-firewall_cli_settings "$@"
+-
+-exit ${EXIT_ERROR}
+-- 
+2.39.2
+
diff --git a/network/patches/0124-wireless-Do-not-attempt-DFS-when-reg-domain-is-set-t.patch b/network/patches/0124-wireless-Do-not-attempt-DFS-when-reg-domain-is-set-t.patch
new file mode 100644
index 000000000..d7e631785
--- /dev/null
+++ b/network/patches/0124-wireless-Do-not-attempt-DFS-when-reg-domain-is-set-t.patch
@@ -0,0 +1,30 @@ 
+From 038a7f3628f6b7648f89bb3ef6813e757fed6fec Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 23 Jun 2019 10:30:17 +0000
+Subject: [PATCH 124/304] wireless: Do not attempt DFS when reg domain is set
+ to world
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.wireless | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/functions/functions.wireless b/src/functions/functions.wireless
+index 733a356..860b2dd 100644
+--- a/src/functions/functions.wireless
++++ b/src/functions/functions.wireless
+@@ -555,6 +555,11 @@ wireless_supports_dfs() {
+ 	local device="${1}"
+ 	assert isset device
+ 
++	# DFS is not supported if wireless reg domain is set to world
++	if [ -n "${WIRELESS_REGULATORY_DOMAIN}" ] || [ "${WIRELESS_REGULATORY_DOMAIN}" = "00" ]; then
++		return ${EXIT_FALSE}
++	fi
++
+ 	local phy="$(device_get_phy "${device}")"
+ 	if ! isset phy; then
+ 		log ERROR "Could not determine PHY for ${device}"
+-- 
+2.39.2
+
diff --git a/network/patches/0125-bird-Start-service-when-needed-and-not-already-runni.patch b/network/patches/0125-bird-Start-service-when-needed-and-not-already-runni.patch
new file mode 100644
index 000000000..ad660cf7c
--- /dev/null
+++ b/network/patches/0125-bird-Start-service-when-needed-and-not-already-runni.patch
@@ -0,0 +1,42 @@ 
+From 0d99f882ea0f8c4b1c55f7107067a0cb35fedfb3 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 23 Jun 2019 10:33:48 +0000
+Subject: [PATCH 125/304] bird: Start service when needed and not already
+ running
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/functions/functions.bird | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/functions/functions.bird b/src/functions/functions.bird
+index 55d43b5..cbcb6e2 100644
+--- a/src/functions/functions.bird
++++ b/src/functions/functions.bird
+@@ -21,6 +21,10 @@
+ 
+ BIRD_CONF="/etc/bird.conf"
+ 
++bird_is_active() {
++	service_is_active "bird.service"
++}
++
+ bird_start() {
+ 	service_start "bird.service"
+ }
+@@ -41,7 +45,11 @@ bird_update() {
+ 	fi
+ 
+ 	# Reload bird
+-	bird_reload
++	if bird_is_active; then
++		bird_reload
++	else
++		bird_start
++	fi
+ }
+ 
+ bird_generate_config() {
+-- 
+2.39.2
+
diff --git a/network/patches/0126-ip-tunnel-Support-setting-MTU-on-tunnels.patch b/network/patches/0126-ip-tunnel-Support-setting-MTU-on-tunnels.patch
new file mode 100644
index 000000000..78fc906ba
--- /dev/null
+++ b/network/patches/0126-ip-tunnel-Support-setting-MTU-on-tunnels.patch
@@ -0,0 +1,60 @@ 
+From 9515b03940a0fac2db3fff105638f49a53f85e7d Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 23 Jun 2019 11:57:17 +0000
+Subject: [PATCH 126/304] ip-tunnel: Support setting MTU on tunnels
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/hooks/zones/ip-tunnel | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/src/hooks/zones/ip-tunnel b/src/hooks/zones/ip-tunnel
+index c4a4fb4..3c885cb 100644
+--- a/src/hooks/zones/ip-tunnel
++++ b/src/hooks/zones/ip-tunnel
+@@ -26,6 +26,7 @@ SUPPORTED_IP_TUNNEL_MODES="gre sit vti"
+ HOOK_SETTINGS=(
+ 	"MARK"
+ 	"MODE"
++	"MTU"
+ 	"PEER"
+ 	"LOCAL_ADDRESS"
+ )
+@@ -33,6 +34,9 @@ HOOK_SETTINGS=(
+ # Default mode of the tunnel
+ DEFAULT_MODE="gre"
+ 
++# Default MTU
++DEFAULT_MTU="1480"
++
+ hook_check_settings() {
+ 	assert isset MODE && assert isoneof MODE ${SUPPORTED_IP_TUNNEL_MODES}
+ 
+@@ -67,6 +71,16 @@ hook_parse_cmdline() {
+ 				fi
+ 				;;
+ 
++			--mtu=*)
++				MTU="$(cli_get_val "${1}")"
++
++				# Validate MTU
++				if ! mtu_is_valid "ipv6" "${MTU}"; then
++					error "Invalid MTU: ${MTU}"
++					return ${EXIT_ERROR}
++				fi
++				;;
++
+ 			--peer=*)
+ 				PEER="$(cli_get_val "${1}")"
+ 				;;
+@@ -116,6 +130,7 @@ hook_up() {
+ 	if ! device_exists "${zone}"; then
+ 		ip_tunnel_add "${zone}" \
+ 			--mode="${MODE}" \
++			--mtu="${MTU}" \
+ 			--remote-address="${PEER}" \
+ 			--local-address="${LOCAL_ADDRESS}" \
+ 			--ikey="${MARK}" \
+-- 
+2.39.2
+
diff --git a/network/patches/0127-firewall-Fix-generating-systemd-file.patch b/network/patches/0127-firewall-Fix-generating-systemd-file.patch
new file mode 100644
index 000000000..9248fb44f
--- /dev/null
+++ b/network/patches/0127-firewall-Fix-generating-systemd-file.patch
@@ -0,0 +1,33 @@ 
+From b41f1f866ef816e6ea7dd9e23e11e36a588ed611 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 23 Jun 2019 15:37:41 +0000
+Subject: [PATCH 127/304] firewall: Fix generating systemd file
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ Makefile.am                                           | 3 +--
+ src/systemd/{firewall.service => firewall.service.in} | 0
+ 2 files changed, 1 insertion(+), 2 deletions(-)
+ rename src/systemd/{firewall.service => firewall.service.in} (100%)
+
+diff --git a/Makefile.am b/Makefile.am
+index 4fe5068..78da25f 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -374,8 +374,7 @@ INSTALL_DIRS += \
+ endif
+ 
+ EXTRA_DIST += \
+-	src/systemd/firewall4.service.in \
+-	src/systemd/firewall6.service.in \
++	src/systemd/firewall.service.in \
+ 	src/systemd/firewall-init.service.in \
+ 	src/systemd/network-init.service.in \
+ 	src/systemd/network@.service.in
+diff --git a/src/systemd/firewall.service b/src/systemd/firewall.service.in
+similarity index 100%
+rename from src/systemd/firewall.service
+rename to src/systemd/firewall.service.in
+-- 
+2.39.2
+
diff --git a/network/patches/0128-Make-generating-man-pages-optional.patch b/network/patches/0128-Make-generating-man-pages-optional.patch
new file mode 100644
index 000000000..1dd835994
--- /dev/null
+++ b/network/patches/0128-Make-generating-man-pages-optional.patch
@@ -0,0 +1,69 @@ 
+From dbe28a055de31302f0b8101e4e294394c6c2b63c Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Fri, 21 Jun 2019 14:37:03 +0100
+Subject: [PATCH 128/304] Make generating man-pages optional
+
+Fixes: #11862
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ Makefile.am  |  4 +++-
+ configure.ac | 12 +++++++++++-
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 78da25f..b6ba5ac 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -480,11 +480,13 @@ MANPAGES_XML  = $(patsubst %.txt,%.xml,$(MANPAGES_TXT))
+ .PHONY: man
+ man: $(MANPAGES) $(MANPAGES_HTML)
+ 
++if ENABLE_MANPAGES
+ man_MANS = \
+ 	$(MANPAGES)
++endif
+ 
+ CLEANFILES += \
+-	$(man_MANS) \
++	$(MANPAGES) \
+ 	$(MANPAGES_HTML) \
+ 	$(MANPAGES_XML)
+ 
+diff --git a/configure.ac b/configure.ac
+index 340cfd6..37c17e3 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -123,6 +123,14 @@ AS_IF([test "x$enable_debug" = "xyes"], [
+ 	AC_DEFINE(ENABLE_DEBUG, [1], [Debug messages.])
+ ])
+ 
++# ------------------------------------------------------------------------------
++
++have_manpages=no
++AC_ARG_ENABLE(manpages, AS_HELP_STRING([--disable-man-pages],
++	[do not install man pages]))
++AS_IF([test "x$enable_manpages" != xno], [have_manpages=yes])
++AM_CONDITIONAL(ENABLE_MANPAGES, [test "x$have_manpages" = "xyes"])
++
+ # ------------------------------------------------------------------------------
+ AC_ARG_WITH([systemdsystemunitdir],
+ 	AS_HELP_STRING([--with-systemdsystemunitdir=DIR], [Directory for systemd service files]),
+@@ -144,7 +152,7 @@ PKG_CHECK_MODULES([LIBNL], [libnl-3.0 libnl-genl-3.0])
+ # ------------------------------------------------------------------------------
+ 
+ AC_CHECK_PROGS(ASCIIDOC, [asciidoc])
+-if test -z "${ASCIIDOC}"; then
++if test "${have_manpages}" = "yes" && test -z "${ASCIIDOC}"; then
+ 	AC_MSG_ERROR([Required program 'asciidoc' not found])
+ fi
+ 
+@@ -167,4 +175,6 @@ AC_MSG_RESULT([
+ 
+ 	systemdsystemunitdir: $systemdsystemunitdir
+ 	udevdir:              $udevdir
++
++	Generate man-pages:   ${have_manpages}
+ ])
+-- 
+2.39.2
+
diff --git a/network/patches/0129-Add-documentation-for-the-IPsec-VPN.patch b/network/patches/0129-Add-documentation-for-the-IPsec-VPN.patch
new file mode 100644
index 000000000..4cf29d53f
--- /dev/null
+++ b/network/patches/0129-Add-documentation-for-the-IPsec-VPN.patch
@@ -0,0 +1,135 @@ 
+From 18bace574c15e966b8e3571cc00be287236162b5 Mon Sep 17 00:00:00 2001
+From: Jonatan Schlag <jonatan.schlag@ipfire.org>
+Date: Mon, 24 Jun 2019 13:30:14 +0200
+Subject: [PATCH 129/304] Add documentation for the IPsec VPN
+
+Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ man/network-vpn-ipsec.txt | 97 +++++++++++++++++++++++++++++++++++++++
+ man/network-vpn.txt       |  5 ++
+ 2 files changed, 102 insertions(+)
+ create mode 100644 man/network-vpn-ipsec.txt
+
+diff --git a/man/network-vpn-ipsec.txt b/man/network-vpn-ipsec.txt
+new file mode 100644
+index 0000000..25347a8
+--- /dev/null
++++ b/man/network-vpn-ipsec.txt
+@@ -0,0 +1,97 @@
++= network-vpn-security-policies(8)
++
++== NAME
++network-ipsec - Configure IPsec VPN connections 
++
++== SYNOPSIS
++[verse]
++'network vpn ipsec [new|destroy]' NAME...
++'network vpn ipsec' NAME COMMAND ...
++
++== DESCRIPTION
++With help of the 'vpn ipsec', it is possible to create, destroy
++and edit IPsec VPN connections.
++
++
++== COMMANDS
++The following commands are understood:
++
++'new NAME'::
++	A new IPsec VPN connection may be created with the 'new' command.
++	+
++	NAME does not allow any spaces.
++
++'destroy NAME'::
++	A IPsec VPN connection can be destroyed with this command.
++
++For all other commands, the name of the IPsec VPN connection needs to be passed first:
++
++'NAME show'::
++	Shows the configuration of the IPsec VPN connection 
++
++'NAME authentication mode'::
++	Set the authentication mode out of the following available modes:
++	* psk
++
++'NAME authentication psk PSK'::
++	Set the pre-shared-key to PSK, only useful when the authentication mode is psk:
++
++include::include-color.txt[]
++
++include::include-description.txt[]
++
++'NAME down'::
++	Shutdown a etablished IPsec VPN connection
++
++'NAME inactivity-timeout TIME'::
++	Set the inactivity timeout with TIME in seconds or in the format hh:mm:ss
++
++'NAME local id ID'::
++	Specify the identity of the local system.
++	+
++	The ID must be in one of the following formats:
++	* IP address
++	* FQDN
++	* a string which starts with @
++
++'NAME local prefix [PREFIX-LIST|+PREFIX ...|-PREFIX ...]'::
++	Specify the subnets of the local system which should be made available to the remote peer.
++
++'NAME mode [transport|tunnel]'::
++	Set the mode of the IPsec VPN connection. 
++
++'NAME peer PEER'::
++	Set the peer to which the IPsec VPN connection should be etablished.
++
++'NAME remote id ID'::
++	Specify the identity of the remote machine.
++	+
++	The ID must be in one of the following formats:
++	* IP address
++	* FQDN
++	* A string which starts with @
++
++'NAME remote prefix [PREFIX-LIST|+PREFIX ...|-PREFIX ...]'::
++	Specify the subnets which the remote side makes available to us.
++
++'NAME security-policy'::
++	Set the security policy which the connection uses.
++	+
++	See link:network-vpn-security-policies[8] for details.
++
++'NAME up'::
++	Establishes the IPsec VPN connection to the remote peer.
++
++'NAME zone'::
++	When you specify a zone of type ip-tunnel here the IPsec connection is established over a vti tunnel.
++	The remote and local prefixes are ignored. Imagine a fiber connection between this two machines, and how you would use it.
++	The IPsec VPN connection works in the same way. You must configure routes and IP addresses of the ip-tunnel hook manually.
++
++
++== AUTHORS
++Michael Tremer,
++Jonatan Schlag
++
++== SEE ALSO
++link:network[8],
++link:network-vpn[8]
+diff --git a/man/network-vpn.txt b/man/network-vpn.txt
+index 5a905db..be33606 100644
+--- a/man/network-vpn.txt
++++ b/man/network-vpn.txt
+@@ -19,6 +19,11 @@ The following commands are understood:
+ 	+
+ 	See link:network-vpn-security-policies[8] for details.
+ 
++'ipsec' ...::
++	Use this command to manage ipsec vpn connections.
++	+
++	See link:network-vpn-ipsec[8] for details.
++
+ == AUTHORS
+ Michael Tremer
+ 
+-- 
+2.39.2
+
diff --git a/network/patches/0130-Makefile-Add-network-vpn-ipsec-8.patch b/network/patches/0130-Makefile-Add-network-vpn-ipsec-8.patch
new file mode 100644
index 000000000..2832396ec
--- /dev/null
+++ b/network/patches/0130-Makefile-Add-network-vpn-ipsec-8.patch
@@ -0,0 +1,25 @@ 
+From 2612a6f4bb0bcc3e155425a653705146eb65d7cd Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 24 Jun 2019 13:28:01 +0100
+Subject: [PATCH 130/304] Makefile: Add network-vpn-ipsec(8)
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ Makefile.am | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/Makefile.am b/Makefile.am
+index b6ba5ac..a5ea123 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -460,6 +460,7 @@ MANPAGES = \
+ 	man/network-route-static.8 \
+ 	man/network-settings.8 \
+ 	man/network-vpn.8 \
++	man/network-vpn-ipsec.8 \
+ 	man/network-vpn-security-policies.8 \
+ 	man/network-zone.8 \
+ 	man/network-zone-bridge.8 \
+-- 
+2.39.2
+
diff --git a/network/patches/0131-security-policies-performance-Remove-CBC-ciphers.patch b/network/patches/0131-security-policies-performance-Remove-CBC-ciphers.patch
new file mode 100644
index 000000000..92b549ec4
--- /dev/null
+++ b/network/patches/0131-security-policies-performance-Remove-CBC-ciphers.patch
@@ -0,0 +1,23 @@ 
+From 2cb783babd59716366984c8908e70285f23347f3 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Mon, 24 Jun 2019 13:28:12 +0100
+Subject: [PATCH 131/304] security-policies: performance: Remove CBC ciphers
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ config/vpn/security-policies/performance | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/config/vpn/security-policies/performance b/config/vpn/security-policies/performance
+index 9b8e943..b226d8d 100644
+--- a/config/vpn/security-policies/performance
++++ b/config/vpn/security-policies/performance
+@@ -1,4 +1,4 @@
+-CIPHERS="CHACHA20-POLY1305 AES128-GCM128 AES128-CBC"
++CIPHERS="CHACHA20-POLY1305 AES128-GCM128"
+ COMPRESSION="off"
+ GROUP_TYPES="ECP521 ECP384 ECP256 ECP224 ECP192 CURVE25519"
+ INTEGRITIES="SHA256"
+-- 
+2.39.2
+
diff --git a/network/patches/0132-IPsec-Add-support-for-Curve448.patch b/network/patches/0132-IPsec-Add-support-for-Curve448.patch
new file mode 100644
index 000000000..0238aad9a
--- /dev/null
+++ b/network/patches/0132-IPsec-Add-support-for-Curve448.patch
@@ -0,0 +1,65 @@ 
+From 27208caa363cad7c2250bdff5b99a9bc16a5ca91 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Wed, 2 Oct 2019 10:36:13 +0000
+Subject: [PATCH 132/304] IPsec: Add support for Curve448
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ config/vpn/security-policies/performance      | 2 +-
+ config/vpn/security-policies/system           | 2 +-
+ src/functions/functions.vpn-security-policies | 6 +++++-
+ 3 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/config/vpn/security-policies/performance b/config/vpn/security-policies/performance
+index b226d8d..209f43d 100644
+--- a/config/vpn/security-policies/performance
++++ b/config/vpn/security-policies/performance
+@@ -1,6 +1,6 @@
+ CIPHERS="CHACHA20-POLY1305 AES128-GCM128"
+ COMPRESSION="off"
+-GROUP_TYPES="ECP521 ECP384 ECP256 ECP224 ECP192 CURVE25519"
++GROUP_TYPES="CURVE25519 CURVE448 ECP521 ECP384 ECP256 ECP224 ECP192"
+ INTEGRITIES="SHA256"
+ PSEUDO_RANDOM_FUNCTIONS="SHA256"
+ KEY_EXCHANGE="ikev2"
+diff --git a/config/vpn/security-policies/system b/config/vpn/security-policies/system
+index db30e69..6ceb0c4 100644
+--- a/config/vpn/security-policies/system
++++ b/config/vpn/security-policies/system
+@@ -1,7 +1,7 @@
+ KEY_EXCHANGE="ikev2"
+ CIPHERS="CHACHA20-POLY1305 AES256-GCM128 AES256-CBC AES192-GCM128 AES192-CBC AES128-GCM128 AES128-CBC"
+ INTEGRITIES="SHA512 SHA384 SHA256"
+-GROUP_TYPES="CURVE25519 ECP521 ECP384 ECP256 ECP224 ECP192 MODP8192 MODP6144 MODP4096 MODP2048"
++GROUP_TYPES="CURVE25519 CURVE448 ECP521 ECP384 ECP256 ECP224 ECP192 MODP8192 MODP6144 MODP4096 MODP2048"
+ PSEUDO_RANDOM_FUNCTIONS="SHA512 SHA384 SHA256"
+ LIFETIME="28800"
+ PFS="on"
+diff --git a/src/functions/functions.vpn-security-policies b/src/functions/functions.vpn-security-policies
+index d1d720b..138e821 100644
+--- a/src/functions/functions.vpn-security-policies
++++ b/src/functions/functions.vpn-security-policies
+@@ -263,6 +263,9 @@ declare -A VPN_SUPPORTED_GROUP_TYPES=(
+ 
+ 	# Curve25519
+ 	[CURVE25519]="256 bit Elliptic Curve 25519"
++
++	# Curve448
++	[CURVE448]="224 bit Elliptic Curve 448"
+ )
+ 
+ declare -A GROUP_TYPE_TO_STRONGSWAN=(
+@@ -289,8 +292,9 @@ declare -A GROUP_TYPE_TO_STRONGSWAN=(
+ 	[ECP384BP]="ecp384bp"
+ 	[ECP512BP]="ecp512bp"
+ 
+-	# Curve25519
++	# More Curves
+ 	[CURVE25519]="curve25519"
++	[CURVE448]="curve448"
+ )
+ 
+ cli_vpn_security_policies() {
+-- 
+2.39.2
+
diff --git a/network/patches/0133-Disable-copybreak.patch b/network/patches/0133-Disable-copybreak.patch
new file mode 100644
index 000000000..c1294c8fb
--- /dev/null
+++ b/network/patches/0133-Disable-copybreak.patch
@@ -0,0 +1,112 @@ 
+From ea4abb82bc6e613ddebd6235f792dd5bbbc469c9 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Thu, 7 May 2020 20:30:03 +0100
+Subject: [PATCH 133/304] Disable copybreak
+
+Some network interface drivers employ a scheme known as "copybreak"
+in which they make a copy of a received skb if the size of the
+buffer is below a particular threshold, then return the original
+receive skb back to the pool.  Since these drivers initially
+allocate a buffer size that is larger than the largest possible
+packet, this scheme returns that large buffer to the pool quickly,
+and uses a smaller one.
+
+The primary benefit of copybreak is better memory utilization.  On
+systems where the data is ultimately going to be copied out to user
+space, the copybreak scheme is "low cost" because it has the side
+benefit of priming the cache for that later copy.  But on a router
+that only touches the header fields of a received packet, the cost
+can be relatively higher.  And on modern systems the memory savings
+is rarely an important consideration.
+
+Some of the drivers that employ copybreak make the feature
+configurable via a module parameter.  This file disables copybreak
+in some of those drivers.  Generally this results in an improvement
+in forwarding performance for traffic using these drivers.
+
+Fixes: #11930
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
+---
+ Makefile.am                      |  6 +++++
+ src/modprobe.d/no-copybreak.conf | 44 ++++++++++++++++++++++++++++++++
+ 2 files changed, 50 insertions(+)
+ create mode 100644 src/modprobe.d/no-copybreak.conf
+
+diff --git a/Makefile.am b/Makefile.am
+index a5ea123..4aa7314 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -31,6 +31,7 @@ AUTOMAKE_OPTIONS = color-tests
+ configdir        = $(sysconfdir)/network
+ bashcompletiondir= $(datadir)/bash-completion/completions
+ libexecdir       = $(prefix)/lib
++modprobedir      = $(prefix)/lib/modprobe.d
+ pkgconfigdir     = $(libdir)/pkgconfig
+ pppdir           = $(sysconfdir)/ppp
+ systemconfigdir  = $(datadir)/network
+@@ -396,6 +397,11 @@ dist_sysctl_DATA = \
+ 
+ # ------------------------------------------------------------------------------
+ 
++dist_modprobe_DATA = \
++	src/modprobe.d/no-copybreak.conf
++
++# ------------------------------------------------------------------------------
++
+ dist_bashcompletion_SCRIPTS = \
+ 	src/bash-completion/network
+ 
+diff --git a/src/modprobe.d/no-copybreak.conf b/src/modprobe.d/no-copybreak.conf
+new file mode 100644
+index 0000000..97ea886
+--- /dev/null
++++ b/src/modprobe.d/no-copybreak.conf
+@@ -0,0 +1,44 @@
++#
++# Some network interface drivers employ a scheme known as "copybreak"
++# in which they make a copy of a received skb if the size of the
++# buffer is below a particular threshold, then return the original
++# receive skb back to the pool.  Since these drivers initially
++# allocate a buffer size that is larger than the largest possible
++# packet, this scheme returns that large buffer to the pool quickly,
++# and uses a smaller one. 
++# 
++# The primary benefit of copybreak is better memory utilization.  On
++# systems where the data is ultimately going to be copied out to user
++# space, the copybreak scheme is "low cost" because it has the side
++# benefit of priming the cache for that later copy.  But on a router
++# that only touches the header fields of a received packet, the cost
++# can be relatively higher.  And on modern systems the memory savings
++# is rarely an important consideration.
++# 
++# Some of the drivers that employ copybreak make the feature
++# configurable via a module parameter.  This file disables copybreak
++# in some of those drivers.  Generally this results in an improvement
++# in forwarding performance for traffic using these drivers.
++#
++
++options 3c515 rx_copybreak=0
++options 3c59x rx_copybreak=0
++options bcm63xx copybreak=0
++options cxgb copybreak=0
++options e1000 copybreak=0
++options e1000e copybreak=0
++options epic100 rx_copybreak=0
++options fealnx rx_copybreak=0
++options hamachi rx_copybreak=0
++options ixgb copybreak=0
++options natsemi rx_copybreak=0
++options pch_gbe copybreak=0
++options pcnet32 rx_copybreak=0
++options sis190 rx_copybreak=0
++options sky2 copybreak=0
++options starfire rx_copybreak=0
++options sundance rx_copybreak=0
++options typhoon rx_copybreak=0
++options via-rhine rx_copybreak=0
++options via-velocity rx_copybreak=0
++options yellowfin rx_copybreak=0
+-- 
+2.39.2
+
diff --git a/network/patches/0134-configure-Check-for-libsystemd.patch b/network/patches/0134-configure-Check-for-libsystemd.patch
new file mode 100644
index 000000000..c47bd0bb8
--- /dev/null
+++ b/network/patches/0134-configure-Check-for-libsystemd.patch
@@ -0,0 +1,25 @@ 
+From ed993fc9d436da0788eca6f80374c9cd85b8bb9b Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 22 Jan 2023 12:33:11 +0000
+Subject: [PATCH 134/304] configure: Check for libsystemd
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ configure.ac | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/configure.ac b/configure.ac
+index 37c17e3..f3a9c17 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -148,6 +148,7 @@ AM_CONDITIONAL(HAVE_UDEV, [test -n "$with_udevdir"])
+ # ------------------------------------------------------------------------------
+ 
+ PKG_CHECK_MODULES([LIBNL], [libnl-3.0 libnl-genl-3.0])
++PKG_CHECK_MODULES([SYSTEMD], [libsystemd])
+ 
+ # ------------------------------------------------------------------------------
+ 
+-- 
+2.39.2
+
diff --git a/network/patches/0135-Makefile-Add-scaffolding-for-networkd.patch b/network/patches/0135-Makefile-Add-scaffolding-for-networkd.patch
new file mode 100644
index 000000000..1f716ffae
--- /dev/null
+++ b/network/patches/0135-Makefile-Add-scaffolding-for-networkd.patch
@@ -0,0 +1,93 @@ 
+From 050f4ece8900b9212de57b3564381d82540323aa Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 22 Jan 2023 12:41:47 +0000
+Subject: [PATCH 135/304] Makefile: Add scaffolding for networkd
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ .gitignore          |  1 +
+ Makefile.am         | 18 ++++++++++++++++++
+ src/networkd/main.c | 23 +++++++++++++++++++++++
+ 3 files changed, 42 insertions(+)
+ create mode 100644 src/networkd/main.c
+
+diff --git a/.gitignore b/.gitignore
+index bb093d3..e3bae67 100644
+--- a/.gitignore
++++ b/.gitignore
+@@ -3,6 +3,7 @@
+ /config.*
+ /libtool
+ /missing
++/networkd
+ /src/functions/functions
+ /src/inetcalc
+ /src/libnetwork/libnetwork.pc
+diff --git a/Makefile.am b/Makefile.am
+index 4aa7314..64ad94d 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -61,6 +61,7 @@ INSTALL_DIRS =
+ INSTALL_EXEC_HOOKS =
+ UNINSTALL_EXEC_HOOKS =
+ noinst_DATA =
++sbin_PROGRAMS =
+ 
+ AM_CPPFLAGS = \
+ 	$(OUR_CPPFLAGS) \
+@@ -299,6 +300,23 @@ EXTRA_DIST += \
+ 
+ # ------------------------------------------------------------------------------
+ 
++sbin_PROGRAMS += \
++	networkd
++
++dist_networkd_SOURCES = \
++	src/networkd/main.c
++
++networkd_CPPFLAGS = \
++	$(AM_CPPFLAGS)
++
++networkd_CFLAGS = \
++	$(AM_CFLAGS)
++
++networkd_LDFLAGS = \
++	$(AM_LDFLAGS)
++
++# ------------------------------------------------------------------------------
++
+ util_PROGRAMS = \
+ 	src/utils/network-phy-list-channels \
+ 	src/utils/network-phy-list-ciphers \
+diff --git a/src/networkd/main.c b/src/networkd/main.c
+new file mode 100644
+index 0000000..14aafdd
+--- /dev/null
++++ b/src/networkd/main.c
+@@ -0,0 +1,23 @@
++/*#############################################################################
++#                                                                             #
++# IPFire.org - A linux based firewall                                         #
++# Copyright (C) 2023 IPFire Network Development Team                          #
++#                                                                             #
++# This program is free software: you can redistribute it and/or modify        #
++# it under the terms of the GNU General Public License as published by        #
++# the Free Software Foundation, either version 3 of the License, or           #
++# (at your option) any later version.                                         #
++#                                                                             #
++# This program is distributed in the hope that it will be useful,             #
++# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
++# GNU General Public License for more details.                                #
++#                                                                             #
++# You should have received a copy of the GNU General Public License           #
++# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
++#                                                                             #
++#############################################################################*/
++
++int main(int argc, char** argv) {
++	return 0;
++}
+-- 
+2.39.2
+
diff --git a/network/patches/0136-networkd-Link-against-systemd.patch b/network/patches/0136-networkd-Link-against-systemd.patch
new file mode 100644
index 000000000..0ff8ce40e
--- /dev/null
+++ b/network/patches/0136-networkd-Link-against-systemd.patch
@@ -0,0 +1,34 @@ 
+From 5d326bbb3f564cdb7031d80850bd3fe3c7565233 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 29 Jan 2023 21:18:34 +0000
+Subject: [PATCH 136/304] networkd: Link against systemd
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ Makefile.am | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 64ad94d..74b2fae 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -310,11 +310,15 @@ networkd_CPPFLAGS = \
+ 	$(AM_CPPFLAGS)
+ 
+ networkd_CFLAGS = \
+-	$(AM_CFLAGS)
++	$(AM_CFLAGS) \
++	$(SYSTEMD_CFLAGS)
+ 
+ networkd_LDFLAGS = \
+ 	$(AM_LDFLAGS)
+ 
++networkd_LDADD = \
++	$(SYSTEMD_LIBS)
++
+ # ------------------------------------------------------------------------------
+ 
+ util_PROGRAMS = \
+-- 
+2.39.2
+
diff --git a/network/patches/0137-networkd-Tell-systemd-about-the-daemon-status.patch b/network/patches/0137-networkd-Tell-systemd-about-the-daemon-status.patch
new file mode 100644
index 000000000..005bffe4b
--- /dev/null
+++ b/network/patches/0137-networkd-Tell-systemd-about-the-daemon-status.patch
@@ -0,0 +1,47 @@ 
+From 26acbb4e03e3a44e6046884eab25f6c7e376c105 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Sun, 29 Jan 2023 21:18:53 +0000
+Subject: [PATCH 137/304] networkd: Tell systemd about the daemon status
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---